XF 2.0 Getting Forbidden Error After Forum Thread Title Update

[Car_Freak]

Hello,

We have a thread in one of the Forum Sections with the following link:

How To Use Report Post Feature

The Forum Moderators will attempt their best to maintain the decorum of this community. However, it’s humanly not possible for us to review each and every message. That’s why we strongly encourage and request members to bring to our attention any content which is against the Forum Protocol. Such...

www.theautomotiveindia.com

I renamed it sometime back from “How To Report Objectionable Content” To “How To Use Report Post Function”.

Name in the link naturally changed but software identifies threads with Thread ID which remains the same:

https://www.theautomotiveindia.com/forums/threads/how-to-use-report-post-function.35111/

However, now both links are throwing 403 Forbidden Error. It has never happened with me in the past.

I'm even unable to rename the thread back to original as the software tells me it's unable to do so.

I contacted our server support but they say it's software-side issue. I'd appreciate if anyone can help resolve this issue.

PS: I don't know yet if this problem is limited to this particular thread or happening with any other thread as well.

Thanks

 

[Paul B]

I contacted our server support but they say it's software-side issue.

This is incorrect - a forbidden error is a webserver error, happening outside XF.

 

[Car_Freak]

This is incorrect - a forbidden error is a webserver error, happening outside XF.

Hi @Brogan.

I shared this with server team and following is their response after investigation:

I found that the 403 error returned when visiting the URL does appear to be blocked due to either the web server or the application. I also found that a 403 error is returned by simply visiting /forums/threads/function./ , so that indicates the string "function." is being blocked for security reasons.

I checked the Apache error log for any ModSecurity violations, but none are occurring at that location. There are no log entries related to the URL in fact, so that does indicate the application may be returning the 403 response and Apache is simply sending it along. I found there is code in the Xenforo library directory related to 403 error responses, so it does appear the application is capable of sending the error.

If that is the case and you are not able to determine where in the application the 403 error is being triggered, we can most likely take a backup of the database and attempt to edit the post title manually. That is of course assuming the threads can be easily modified by hand. Let us know if you receive any more information from Xenforo or need any further assistance. Thank you.

Now, the problem is that whenever I try to edit title of that particular thread, XF throws an error (attached in the first post).

The thread in question was a How-To Guide. My concern is that if it happens in future with a high-quality thread, it’ll be immense trouble for us.

All I did was to rename the thread. I’m still unsure through if it’s happening elsewhere too.

BTW I’m utilizing XenForo Route Filters (but only for forum sections, which don't exist in Thread URLs), if that makes any difference.

Any guidance from XF team will be of great help.

Thanks

 

[Car_Freak]

So, our server team managed to diagnose the cause. It’s happening when the term “Function” is mentioned at the end of thread title.

The title of thread in question was changed from back-end and it loaded fine.

It seems to be a bug in XenForo. Are there more such terms that could cause the same problem?

I’m looking forward to an explanation from XenForo team on how to get around this issue.

 

[Paul B]

It's not a bug in XF.

https://xenforo.com/community/threads/how-to-use-report-post-function.210034/

My advice would be to find a new host if they don't understand how to resolve a 403 web server error.

 

[TPerry]

It seems to be a bug in XenForo. Are there more such terms that could cause the same problem?

Definitely NOT a bug in XenForo, but most like a "bug" in your hosting providers modsecurity rules.
If your host is too lacking in knowledge to realize that and know how to rectify it, then it's time to be looking for a more professional hosting provider.

It's no different than folks complaining that certain "posts" don't work/display right for them... only to come to find out they have an ad-blocker in use and there is a word/phrase in that topic title that the ad-blocker detects as an "ad" and blocks it. Not an XF issue in either case.

 

[Car_Freak]

It's not a bug in XF.

https://xenforo.com/community/threads/how-to-use-report-post-function.210034/

My advice would be to find a new host if they don't understand how to resolve a 403 web server error.

Definitely NOT a bug in XenForo, but most like a "bug" in your hosting providers modsecurity rules.
If your host is too lacking in knowledge to realize that and know how to rectify it, then it's time to be looking for a more professional hosting provider.

It's no different than folks complaining that certain "posts" don't work/display right for them... only to come to find out they have an ad-blocker in use and there is a word/phrase in that topic title that the ad-blocker detects as an "ad" and blocks it. Not an XF issue in either case.

Hi. I think it’s important to note that I’m running XF 2.0. Still not necessarily the software’s fault though.

My host did advice that it could be due to an add-on as well. They also tested with ModSecurity disabled and the problem still persisted with no entries in Apache log.

 

[TPerry]

My host did advice that it could be due to an add-on as well. They also tested with ModSecurity disabled and the problem still persisted with no entries in Apache log.

When I see someone say this (item highlighted)

So, our server team managed to diagnose the cause. It’s happening when the term “Function” is mentioned at the end of thread title.

It immediately sends up warning signals that it's a modsecurity issue, or another security program issue that is blocking it because it thinks there is a function call being made.
And last I looked, modsecurity did NOT write to the "regular" apache activity log. It generally writes to the audit log (if enabled) and the httpd error logs if using Apache (generally /var/logs/httpd/error_logs if using a default install).

The easy way to see if it's an add-on causing it (unlikely) is to disable all the add-ons and see if it works.
You can also try creating a new thread with the word function in the title and see if it gets blocked.

 

[Car_Freak]

And last I looked, modsecurity did NOT write to the "regular" apache activity log. It generally writes to the audit log (if enabled) and the httpd error logs if using Apache (generally /var/logs/httpd/error_logs if using a default install).

I’ll follow-up with server team on this.

The easy way to see if it's an add-on causing it (unlikely) is to disable all the add-ons and see if it works.
You can also try creating a new thread with the word function in the title and see if it gets blocked.

Just now tested both the methods. It immediately throws Forbidden Error upon thread creation. Disabling the add-ons didn’t help either.

 

[TPerry]

Just now tested both the methods. It immediately throws Forbidden Error upon thread creation. Disabling the add-ons didn’t help either.

Points even more towards a modsecurity rule or a rule set of some "monitoring/firewall" software they use.

If you are running in a shared hosting environment, try this in your htaccess

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

and see if it resolves the problem. You are "supposed" to be able to turn it off easily (but usually you have to be on a dedicated server or VPS), but your shared hosting provider may not enable that ability via .htaccess as it does open a security hole in their environment.
If it was a script issue, there would be more people having problems with that.... and you don't see that happening (in fact, I just made a test post on my site using function and functions in the title, and no issues..... so that simply points even more to their hosting environment.

 

[Car_Freak]

Hello @Tracy Perry @Brogan

I brought into our webhost's attention Post #8 and #10. Following is their response. The point seems reasonable.

Just to cross-check, can someone running XF v2.0 and media gallery create a thread with “function” at the end of title?

I saw the Xenforo forum responses, and I did of course check all the logs they mentioned. They were in fact the first location we checked. But all their responses seemed to disregard the fact that I disabled ModSecurity entirely and the issue still occurred. For further evidence the issue is isolated to the code running at the /forum location, you can see the following requests only show the 403 error happens in the /forums location or subdirectories:

$ curl -I /function./
HTTP/1.1 404 Not Found

$ curl -I /forums/function./
HTTP/1.1 403 Forbidden

$ curl -I /forums/threads/function./
HTTP/1.1 403 Forbidden

Since the main site shows a 404 response as expected, that does indicate there is no server-wide setting causing the 403 at the /forums location. Combined with the fact that there are no errors logged in the Apache main error or modsec_audit logs and the issue still occurred with ModSecurity completely disabled, it very strongly indicates the 403 error is coming from the application.

I am guessing there may be several locations where add-ons or plugins can be added to the forum code, and whatever is causing the issue was still active. I would suggest following up on the Xenforo forum and let them know we have done our due diligence when investigating the issue and let us know if they have any additional information. Thank you.

 

[Black Horse Off Road]

you might be under DDOS attack, and mod-evasive is triggering 403 errors or reached traffic limit

 

[Ozzy47]

The first problem is running a very old version of XF