Topic Summary - Displaying 15 post(s). Click here to show all
Posted by: Monni Posted on: Sep 5th, 2014 at 7:48pm
I'm pretty sure it was a false positive... I've known most of the users on the forum for several years and that IP didn't belong to a new user.
Posted by: Dandello Posted on: Sep 5th, 2014 at 7:25pm
It may be annoying but you know that mod_security bashed a spammer for you. Unless, of course, the member was trying to let people know about spam they'd gotten... :
Posted by: Monni Posted on: Sep 5th, 2014 at 6:57pm
Finally managed to get errorlog output... Definitely bad interaction with ModSecurity.
Quote:
[Fri Sep 05 20:49:56 2014] [error] [client 188.238.53.26] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (poker flat|casino royale)" against "MATCHED_VAR" required. [file "/usr/local/apache/conf/modsec_rules/30_asl_antispam.conf"] [line "193"] [id "300032"] [rev "10"] [msg "Atomicorp.com WAF AntiSpam Rules: Gambling or Poker Content (Disable this rule if you wish to allow that content)"] [data "poker"] [severity "CRITICAL"] [hostname "www.radiohistoria.fi"] [uri "/cgi-bin/yabb2/YaBB.pl"] [unique_id "VAn3w9BOKbgAAD@Ge@UAAAAQ"]
Posted by: Dandello Posted on: Sep 2nd, 2014 at 11:04pm
Definitely a glitch in the space-time continuum, then.
Posted by: Monni Posted on: Sep 2nd, 2014 at 11:01pm
The real weirdness is that it appears to be reporting a 404 in the access log, but the same error isn't in the server error logs.
I think something in Apache configuration is suppressing error log output. I can't check the Apache configs, because it's on a shared host where I don't have root access.
Posted by: Dandello Posted on: Sep 2nd, 2014 at 10:50pm
The real weirdness is that it appears to be reporting a 404 in the access log, but the same error isn't in the server error logs.
Posted by: Monni Posted on: Sep 2nd, 2014 at 10:42pm
I only enabled debugging, because it was not adding anything useful to error logs. Something tells me it's bad interaction with Apache's mod_security or one in a million case of space-time anomality.
Posted by: Dandello Posted on: Sep 2nd, 2014 at 10:36pm
Um - I just ran a test on my test bed - What I saw was debugging set to 'everybody sees' so guests ARE not allowed to post. (But they really shouldn't be allowed to see the debugging info, either.) I normally don't have debugging set so everybody sees it so I forgot about that little weirdness.
So we can forget the 403 on guests.
Now off to check what members see under the same settings.
Posted by: Monni Posted on: Sep 2nd, 2014 at 10:27pm
I saw the reference to Security.pm when trying to access StartNewTopic as a guest when I should have gotten a single 'you are not allowed' line. So I'm guessing that something above line 129 is failing over something very weird. If it didn't make it into the YaBB error log, maybe it made it into the Apache error log.
Apache error log was empty...
Posted by: Dandello Posted on: Sep 2nd, 2014 at 10:20pm
I saw the reference to Security.pm when trying to access StartNewTopic as a guest when I should have gotten a single 'you are not allowed' line. So I'm guessing that something above line 129 is failing over something very weird. If it didn't make it into the YaBB error log, maybe it made it into the Apache error log.
Posted by: Monni Posted on: Sep 2nd, 2014 at 10:02pm
What really puzzles me is that it is returning a HTTP error 403 to the user, but the logs say error code is 404...
As far as I understand the YaBB returned error codes, 403 means the user isn't logged in (because guests can't post threads), but 404 means I/O error (cannot_open).
Edited:
Line 129 of Security.pm is
Code
if ( $access ne 'granted' ) { fatal_error('no_access'); }
Posted by: Dandello Posted on: Sep 2nd, 2014 at 9:49pm
This isn't reproduceable on a newly installed forum - however, following the full link to the site (where I should get a 'not allowed' error, I see an error call to Sources/Security.pm line 129 referring (I think) to not finding a subroutine. It also mentions '(eval)'. The only time eval gets called in Security.pm is in regards to Variables::Movedthreads
Line 129 relates to the sub AccessCheck
Going to do more sleuthing.
Edited:
On a newly installed empty forum with default settings, Guests get the 'You are not allowed to access this section.' warning when trying to get to StartNewTopic.
So, on the forum with this odd error - what are the guest posting settings?
Posted by: Monni Posted on: Sep 2nd, 2014 at 8:06pm