Posting the word "get" in forms results in 403 error on Passenger website

Fabius

• February 03, 2023 05:51

I have a Django (python) website that's working fine using Passenger. All good! Except for one very strange thing - if I have a form with a textarea and I submit text like this: test get test
then I get a 403 Forbidden error. To generate the error:

• The form can use GET or POST method
• The word "get" must start a new line, but not the first one
• The word "get" must be followed by a space (and optionally more text)
• The word "get" can be replaced by any other HTTP method name, in any case ("POST", "Put", etc)
• The form can just be a GET form to its own URL, on a static page, so it's not being processed by Django
• In fact I don't even need the form itself - I can append this query string to any URL to generate the error: ?test=foo%0D%0Aget+foo
  

I'm very puzzled! It means I can't input any lines in any textarea that starts with an HTTP method name. Bizarre. I feel this must be something that Passenger is catching something it thinks is problematic but I've no idea how to stop it.

• 

  cPRex Jurassic Moderator

  • February 03, 2023 14:57

  Hey there! Do you have ModSecurity enabled on the machine? If so, do you see anything in the Apache logs when this error happens?

  0
• 

  Fabius

  • February 03, 2023 17:11

  Hi! Yes, ModSecurity appears to be enabled for this domain. Here's a line from the logs from when I added that query string: 92.41.4.241 - - [03/Feb/2023:06:47:57 -0500] "GET /?test=foo%0D%0Aget+foo HTTP/2.0" 403 543 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15"
  

  0
• 

  cPRex Jurassic Moderator

  • February 03, 2023 17:12

  If you disable ModSecurity, are you able to post normally?

  0
• 

  Fabius

  • February 03, 2023 17:24

  Yes, turning off ModSecurity means it works! So, why is that? Is there a way to enable ModSecurity without it doing... whatever it is it's doing here?

  0
• 

  quietFinn

  • February 03, 2023 17:39

  You can find the rule id in ModSecurity log (/etc/apache2/logs/modsec_audit.log), and then add an exception to disable that rule for the domain in question. I use ConfigServer ModSecurity Control for that.

  0
• 

  Fabius

  • February 03, 2023 17:50

  My server doesn't have a /etc/apache2/logs/modsec_audit.log. /etc/apache2/logs leads to /usr/local/apache/domlogs but I don't have permission to see what's in there.

  0
• 

  quietFinn

  • February 03, 2023 17:53

  You need root access to be able to see that file.

  0
• 

  cPRex Jurassic Moderator

  • February 03, 2023 20:06

  @Fabius - if you don't have root access, you can ask your host if they can check the log and adjust that rule for you.

  0
• 

  Fabius

  • February 07, 2023 10:30

  Thanks both. I got in touch with the hosting service and they were able to look in the logs and disable the offending rule. It now all works! The only downside is they didn't tell us what the rule was, so we'll never know.

  0
• 

  cPRex Jurassic Moderator

  • February 07, 2023 14:27

  I'm glad they were able to help with that!

  0

Please sign in to leave a comment.