Random 'Method Not Implemented' Errors

[NerdUno]

Any idea what would cause errors in certain new and old threads like this. In the affected postings, no one can edit or reply to a post that's affected by the error. Here's a link to one new thread with the problem: http://pbxinaflash.com/community/index.php?threads/aastra-6757i-primary-tftp-server.12776/

And here's a link to an old thread from vBulletin 3 with the same problem:

 

[NerdUno]

And a followup from another problematic thread:

The element in question is in the header.

It is specifically the 'X-Ajax-Referer' that is causing the error.

'X-Ajax-Referer: http://pbxinaflash.com/community/index.php?threads/nmap-scanner-by-phone.12267/'

For proof of concept (that I got it to work) Please look at this thread: http://pbxinaflash.com/community/index.php?threads/nmap-scanner-by-phone.12267/

For my replies.

I will also attempt to add replies to the TFTP server thread and reply back here when I have done so

 

[NerdUno]

Turns out this X-Ajax-Referer bug is pretty serious. It breaks all searches on words contained in any of the broken threads as well as killing Alerts, Log Outs, Replies, and Edits from the affected threads. For example, it broke searches for tftp on our forum. As a test, we removed the two X-Ajax-Referer links in XenForo, and you then could post replies in the broken threads. But everything else remained broken. So... I've opened a ticket. Thanks to everyone for the terrific feedback that put us on the right track to getting this identified and hopefully solved.

 

[Floris]

As you might suspect, the provider is reluctant to turn off mod_security protection merely to fix a bug in a XenForo query syntax. What would be helpful obviously is to identify the actually query that is generating the problems.

Thankfully there are other providers, such as leaseweb.com, linode.com, and many others.

 

[NerdUno]

Wouldn't be too thankful if I were you. mod_security is what stands between the Bad Guys and many a hacked blog and forum.

 

[NerdUno]

Here's the problem. Our blog on Internet Telephony discusses security a lot, but we don't want to drop our pants by removing mod_security protection just to talk about... security. Here's one idea from one of our readers:

Here's the modsecurity rules concerning nmap and tftp:

####################################
# GENERAL WEB AND SPAM ATTACKS
####################################
SecFilter "tftp\x20"
SecFilter "wget\x20"
SecFilter "uname\x20-a"
SecFilter "g\+\+\x20"
SecFilter "gcc\x20-o"
SecFilter "nmap\x20"

It looks like it should fail on wget or uname also.

Can XenForo replace the key words with something like this: t-f-t-p so that it doesn't trigger this again? I know that some forums automatically replace swear words with other phrases.

I wouldn't want to compromise the security. If xenforo can replace the words with hyphenated versions like t-ftp then that would work and keep the security.

 

[Jake Bunce]

I'm sure it's possible to change that in XF but that's a bad solution. The better solution is to remove the offending rule on the server.

 

[NerdUno]

I'm sure it's possible to change that in XF but that's a bad solution. The better solution is to remove the offending rule on the server.

Huh. Turning off mod_security is a good solution? Only if you don't care about the security of your server. I think we've addressed most of the problems now. What we did was use the "dirty word" Censoring filter to convert tftp, wget, etc. to UPPERCASE which resolves the problem for new posts. Unfortunately, this filter only gets applied after a thread has passed through Apache. So we used UPDATE xf_post SET message = REPLACE(message,'tftp','TFTP'); to fix existing posts. Can someone tell me where the post titles are stored? We also need to fix some of those. Thanks for all the help and suggestions.

 

[Jake Bunce]

Turning off mod_security is a good solution?

No. But reconfiguring mod_security to eliminate the false positives is a good solution.

Can someone tell me where the post titles are stored?

xf_thread.title

 

[NerdUno]

Bottom line is you can't "reconfigure" mod_security to eliminate false positives without disabling it. Here's the resolution that works for anyone that has the problem down the road.

I think we got everything resolved without touching mod_security. Just so you'll know, a lot of the newer forum software includes the TITLE of the thread post in the URL for the thread. These URLs are what were triggering the mod_security issues when someone put TFTP or WGET in the title of their post. It doesn't matter if the words appear in the body of a posting. We went back with MySQL and renamed TFTP to T-F-T-P in the titles of the posts, and everything is fine:

UPDATE xf_thread SET title = REPLACE(title,'TFTP','T-F-T-P') WHERE `title` LIKE '%tftp%';
UPDATE xf_thread SET title = REPLACE(title,'tftp','T-F-T-P') WHERE `title` LIKE '%tftp%';

 

[Digital Doctor]

Bottom line is you can't "reconfigure" mod_security to eliminate false positives without disabling it. Here's the resolution that works for anyone that has the problem down the road.

Did anyone figure out how to get mod_security tweaked ?

if you are unsure, rather than totally disable mod_security put mod_security into detection only mode https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleEngine then run a while and look at logs to review what rule sets you need to modify

Is it possible for Xenforo.com to do this ? And compile a method of whitelisting false triggers.
@Mike @Floren @Slavik

Mod_security problems http://xenforo.com/community/search/4238386/?page=4&q=mod_security&o=relevance