Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
403 mod_security errors in Vanilla.
I seem to have similar problem - i have 403 error whenever i try to change something on /settings.php?PostBackAction=RegistrationChange or when i log out (/people.php?PostBackAction=SignOutNow&FormPostBackKey=****).
That's what I'm seeing in my logs:
[Tue Oct 21 13:46:31 2008] [error] [client 83.4.59.**] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\'(?:ogg|gopher|zlib|(?:ht|f)tps?)\\:/|<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>|activexobject|(?:\\.add|\\@)import|asfunction\\:|background-image\\:|e(?:cma|exec)script|\\.fromcharcode|get( ..." at REQUEST_HEADERS:Referer. [file "/etc/modsecurity2/modsec/10_asl_rules.conf"] [line "804"] [id "340158"] [rev "5"] [msg "XSS in referrer"] [severity "CRITICAL"] [hostname "*******.eu"] [uri "/settings.php"] [unique_id "*******"]
[Tue Oct 21 13:47:51 2008] [error] [client 83.4.59.**] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\'(?:ogg|gopher|zlib|(?:ht|f)tps?)\\:/|<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>|activexobject|(?:\\.add|\\@)import|asfunction\\:|background-image\\:|e(?:cma|exec)script|\\.fromcharcode|get( ..." at REQUEST_HEADERS:Referer. [file "/etc/modsecurity2/modsec/10_asl_rules.conf"] [line "804"] [id "340158"] [rev "5"] [msg "XSS in referrer"] [severity "CRITICAL"] [hostname "******.eu"] [uri "/people.php"] [unique_id "********"]
I don't know, whether it's a problem with misconfigured Vanilla install, or should I blame my host provider.
I see that someone had that problem before ( http://lussumo.com/community/discussion/7061/returnuri-and-modsecurity/ ), but that thread was old, and I can't find menu.php in 1.1.5a (and even if I'd find it, i guess it would be already patched to work)
0
This discussion has been closed.
Comments
Try adding this to the .htaccess file in the top level Vanilla folder:
<FilesMatch "^(settings|people)\.php$"> SecFilterEngine Off </Files>
Menu.php is in the /themes/ folder, but the issue described in that discussion has been fixed in 1.1.5
You gotta close the <FilesMatch> tag with </FilesMatch> not </Files>.