BIG Problem - suddenly receiving HTTP 403 forbidden

BIG Problem - suddenly receiving HTTP 403 forbidden

Sharon Goodson གིས-
Number of replies: 11

After registering our Moodle site via the register button in Notifications (after doing so the button did not disappear as stated), we started getting 403 forbidden errors when trying to update resources, some activities (web pages) and various settings. We registered the site again, the button is still there.

I can't imagine why registering would cause this, but this was the only change that occurred during this time, and the problem appeared for the first time started immediately after registering. There were no other changes in permissions, server configurations, etc for some time prior to this.

Oddly enough, in modules where we were trying to add text (labels and web page activity) occasionally we could successfully update text (every dozen or so tries), but ONLY if it involve a minimum number of characters (two or three words). The number of characters may just be incidental, as 99% of the time it still wasn't successful, but I thought it worth noting, especially since it WAS random, though rare success.

Another thing I noticed (and again this may be meaningless)  in trying to troubleshoot this (think monkey and football) was that modules I could not update pointed to : course/modedit.php?update=235&return=0 (or something similar), where as modules I could update pointed to another URL: question/question.php?returnurl=http%3A%2F%2Fwww.moodlesite.net%2folder%2Fmoodle%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D225&cmid=225&id=21 (or something similar). I don't know if this is always the case as I haven't tried to do updates in every module.

Moodle 1.9.2 - We are on a hosted server running: Debian, My SQL 5.0.45, PHP 5.2.2.

Assume I'm an idiot and I know barely enough to be dangerous.

Any immediate help would be most appreciated. Our host server has not been of much assistance thus far. 

དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Sharon Goodson

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Sharon Goodson གིས-

OK - this is getting stranger by the minute: I have been successful in making edits in some modules, but only if I edit/add a couple of words at a time. HOWEVER: anything that includes the word ‘set’ ends up returning a HTTP 403 error. I verified this numerous times, and when I tried to update an and existing resource (a web page) that already included the word ‘set’ (before this problem began Saturday) I was unsuccessful at each attempt. Once  I removed the word ‘set,’  then it was immediately successful, when I added it back, it failed.   

Now, to make things even more weird, another page that won’t allow me updates (define system roles) doesn't  allow for any text input, (only selections via radio buttons)  HOWEVER – “Not Set” is one of the selections…

Surely my problem can't be the set of the word 'set' anywhere on the page, but testing it time and time again indicates it is! On a label I was creating that contained the word 'set' (the label that actually alerted me to the problem), once I changed 'set' to 'configure' it worked!

Please Help! I'm going brain dead!

དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Sharon Goodson

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Gordon Bateson གིས-
Core developers གི་པར Peer reviewers གི་པར Plugin developers གི་པར
Maybe your server software is Apache and you hosting company has recently enabled Apache's mod_security module?

Apache's mod_security module will scan the traffic in and out of the server and signal an error if it detects what it thinks is a "suspicious" string of characters.

Just an idea, but it may be worth asking your hosting company if Apache's mod_security is enabled, and if so, could they please make it less vigilant on the Moodle folders.

Gordon
དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།:Useful (1)
In reply to Gordon Bateson

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Sharon Goodson གིས-

Thanks! I sent them a note on that. Yesterday after hours on the phone I got the feeling I was on my own. When I asked if this is what they were saying, they responded "well, basically, yeah." Great support. They kept the ticket open, though and asked for access to moodle. But I'm not holding my breath...

For anyone else that might be reading this, I'd like to clarify some of the details. (All folder permissions are set to 755, btw.)

As I said, a key element seems to be the characters ‘set.’ Affected items thus far include label resourcs, web or text page resources and some core pages that include radio button feilds with 'set'.

For items where text input is required, including text without the characters 'set' seems to work. Including 'set' characters returns a 403 error.

Interestingly, I created an item about 10 days ago (a resource web page) that included several instances of 'set.' No problem at that time. Yesterday, however, when I tried to edit that same resource (simply trying to strike through a different text), I continued to receive the 403 error until I removed the originally included text phrases ‘set.’

It may be worth noting that when I click on the edit icon, I view the page:  http://www.moodlesite/moodle/course/modedit.php?update=xxx&return=0 , but then after trying to save/update, the 403 error indicates that we can not view page: http://www.moodlesite/moodle/course/modedit.php

This occurs also from another page that does not allow for text input: Site Admin Block>users> permissions>define roles. This displays page: http://www.moodlesite/moodle/admin/roles/manage.php prior to selecting edit. After selecting edit it displays page: http://www.moodlesite/moodle/admin/roles/manage.php?action=edit&roleid=1

Here we don't even have to make a change, we just select “Save Changes,” and the 403 error appears, stating we don’t have permission to view http://www.moodlesite/moodle/admin/roles/manage.php (which we were viewing before selecting the edit icon).  

What’s interesting here is that while we don’t input the text “set,” the page is required to process ‘Not Set” fields.

One more note:  This does not occur in all modules (for example 'edit course settings' or quizzes), only select ones.

Earlier in the week I installed Activity Locking, ASCIImathml.js and Dragmath.For Activity Locking, I made modifcations as per the instructions here: http://moodle.org/mod/forum/discuss.php?d=92731#p454295 . I had to tweak ASCIImathml a bit to get it to work with quizzes (I placed the script and d.svg in the quiz folder)> With Dragmath, I made modifications as per the instructions here: http://docs.moodle.org/en/DragMath_equation_editor

I read somewhere that the core moodle tex filter didn't work right with Debian servers (which is our host), as I turned all the math filters off, thinking maybe they were trying to convert something (heck! I don't know!), but the 403 errors still continue...

དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Sharon Goodson

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Sharon Goodson གིས-
I have reported this issue here: http://tracker.moodle.org/browse/MDL-16746
དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Sharon Goodson

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Sharon Goodson གིས-

THANK YOU Gordon Bateson for that suggestion! I sent this to our host, and low and behold!

We solved the problem (thus far) by adding a .htaccess file with "SecFilterEngine Off SecFilterScanPOST Off" in the affected folders.

Now, life can get back to abnormal...Thanks again!

དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Sharon Goodson

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Gordon Bateson གིས-
Core developers གི་པར Peer reviewers གི་པར Plugin developers གི་པར

You're welcome. Thanks for reporting the solution - and thanks for making my day དགའ་འཛུམ་

དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Sharon Goodson

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Ron Meske གིས-
I would like to echo thanks to Gordon and to you Sharon for posting your solution.

We just encountered this same issue today when setting up the standard Wiki. We would receive the Forbidden access message. Adding the .htaccess file with the settings to turn off the security filter ("SecFilterEngine Off SecFilterScanPOST Off") to the courses folder solved our problem as well. Has anybody determined which folders need the .htaccess file?

Also, has anyone determined if this could be fixed in Moodle coding versus needing the .htaccess file?

Thanks,
Ron
དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Ron Meske

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Sharon Goodson གིས-

Hi Ron! So glad to hear you found the solution!! Isn't it wonderful when the pieces finally fall in? Our website owner thinks I'm a genius when it plays out like this, I always remind her it's thanks to the moodle community (ok - most of the time I do *lol*)

This issue has given me the most basic understanding (I mean basic)of htaccess and strings and such, so let that serve as my disclaimer *lol*  

I put that particular .htaccess (with that specific string) only in the subfolders that have kicked back the 403 errors. If I run into more errors in other folders that I think are caused by this same issue, I'll copy .htaccess and place it there. I'm sure I'll run across more, since in my case the characters 'set' triggered alarms, but I'll address those as they occur.

.htaccess is an Apache deal, so I don't think moodle coding could or would have an effect or address the same functions or issues. .htaccess can be used of allot of different things, including a workaround when you don't have access to your php.ini file. This site gives a pretty good explanation of all this: http://www.javascriptkit.com/howto/htaccess.shtml It does warn about the use of .htaccess without approval or a through understanding, as theses files can compromise specifically set server configurations.

དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Sharon Goodson

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Nicolás Kovac Neumann གིས-
Hi all!

I recently downloaded and installed moodle; everything went ok, but I still got trouble with those 403 errors. Also created a .htaccess file in the 'questions' subfolder, but still getting the same :S

Does anyone know any other issue why I still get that? Maybe it has nothing to do with it, but when defined the .htaccess file I did it that way:

php_flag mod_security off
php_flag SecFilterEngine Off
php_flag SecFilterScanPOST Off

Is anything wrong here? Any new security Apache add-ons?

Thank you all! :D
དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Nicolás Kovac Neumann

Re: BIG Problem - suddenly receiving HTTP 403 forbidden

Scott Stolz གིས-

You may have to contact your web host and request that the mod sec rule prohibiting that function from running is whitelisted for you.

For security reasons, some web hosts block certain actions be default.  You typically can ask them to make an exception to the mod sec rule for your account.

They will need the exact URL where you are getting the error, and mention that you probably need a mod sec rule whitelisted.  If necessary, refer them to this forum topic so they know what you are talking about.  But typically, if you mention "403 Forbidden" and "mod sec rule" and "whitelist," they will know what you need.

དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -