XF 1.5 User unable to post/server error - smilie related, possible bug

[Live Free]

Okay, so I'm having an issue where specific content in a specific forum is triggering a user-sided error without an admin error log.

One of my members is a moderator in a specific sub-forum. They attempted to create a new thread (with a prefix) but received a server error, not letting them post. This error was only displayed to the user, no admincp log.

An administrative user tried the same thing, received the same pop-up general server error. However, the problem extended one step further for that administrator, they said it "booted them from the site completely" and that they now can't access the site (I'm not sure if this means logging in or to what extent).

The error they see looks like this:



I've examined the admincp error logs and there are no reports. I was able to replicate the error with the same post content. I tried disabling all add-ons. The error still appeared, still with no server error log.

I've encountered problems like this a handful of times over the past year or two. One instance was in a PM that contained a word the server safeguards flagged because it represented a possible database command. Another instance in posting it was caught my the SPAM filter. Another instance was with my blogging addon (still unresolved).

In this case, I'm only able to replicate the error pasting the original message from the original user. After further trial and error it appears that the smiley is causing it. I was able to post the thread after removing the smilie. Add the smiley back, get the error again.

I examined the smilie in question and it's hosted on my server. It references /styles/directory/smiliename so I adjusted it to include the full https://sitename.com URL but still got the same error.

I was going to report this as a bug, but for some reason it has continued to prevent an administrative user from using the site for the past 12+ hours.

Thanks.

 

[Mike]

I can't really comment on why it wouldn't let anyone access the site. That error isn't directly coming from XenForo, so it's hard to say if XF is actually involved. The error is coming from your web server (Apache), though it could potentially be a PHP crash.

Realistically, you'll need to look at the Apache error logs as there should be more details logged there. Depending on the error, it's possible it won't actually be logged in your site's error log, but the global Apache log (unfortunately).

 

[Live Free]

I can't really comment on why it wouldn't let anyone access the site. That error isn't directly coming from XenForo, so it's hard to say if XF is actually involved. The error is coming from your web server (Apache), though it could potentially be a PHP crash.

Realistically, you'll need to look at the Apache error logs as there should be more details logged there. Depending on the error, it's possible it won't actually be logged in your site's error log, but the global Apache log (unfortunately).

Thanks Mike.

All seems well as this seemed to be a fluke occurrence, but there's no easy way for me to tell how often this might be happening. My intuition says this might be a legit bug - I'll try to dive in further and I'll let you know with what I can come up with.

I was really puzzled on why it might not let someone access the site, my current working theory was that the error (or perhaps a loading loop) caused the administrator account in question to have is IP blacklisted by the server. I haven't been able to find any evidence of this yet though.

I'll try my hand at finding information in the Apache error logs, though that's not my forte. I imagine it shouldn't be too difficult though since I am able to recreate the error with the smilie. I'll let you know if I find anything noteworthy.

 

[TPerry]

I'll try my hand at finding information in the Apache error logs, though that's not my forte. I imagine it shouldn't be too difficult though since I am able to recreate the error with the smilie. I'll let you know if I find anything noteworthy.

Check your PHP error log also. Frequently you will find errors there that are not reflected in your HTTP server error log.

 

[Live Free]

The directory's PHP error log and cPanel per-site apache log were clean, but the global Apache error log turned up the correct logs:

[Tue Mar 21 18:37:59.739748 2017] [:error] [pid 23434:tid 139714992523008] [client MY.IP.ADDRESS] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at ARGS:message_html. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "254"] [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "www.mywebsite.com"] [uri "/weekly-poetry-contests/similarthreads"] [unique_id "WNGrR0PjmgsAAFuKFgIAAAGF"]
[Tue Mar 21 18:38:06.848225 2017] [:error] [pid 23273:tid 139714942166784] [client MY.IP.ADDRESS] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at ARGS:message_html. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "254"] [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "www.mywebsite.com"] [uri "/weekly-poetry-contests/create-thread/preview"] [unique_id "WNGrTkPjmgsAAFrpskUAAAEL"]
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20131226/memcache.so' - /usr/local/lib/php/extensions/no-debug-non-zts-20131226/memcache.so: cannot open shared object file: No such file or directory in Unknown on line 0
[Tue Mar 21 18:38:09.804334 2017] [:error] [pid 32637:tid 139715107710720] [client MY.IP.ADDRESS] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at ARGS:message_html. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "254"] [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "www.mywebsite.com"] [uri "/weekly-poetry-contests/add-thread"] [unique_id "WNGrUUPjmgsAAH99UEAAAAHA"]

There are additional error logs related to the site that I will need to investigate, but they aren't time-correlated to my recreation of the error. Which is still only caused by adding the smilie to the same original post, by the way.

Obviously this appears to be some sort of "generic SQL injection protection" but I haven't the slightest idea why a smilie image would trigger it. Overzealous modsecurity settings? But why the smilie?

I did encounter something like this before that caused a similar error in PMs that preventing PMs being sent with a certain string of characters. The server viewed it as an attempt to alter the database maliciously.

I checked the post I'm attempting to make to generate this error and it uses the word "create" twice but does not mention alter or drop.

@Mike what are your thoughts on this?

 

[Paul B]

It's due to the mod security module on the server.

Your host should be able to identify which rule is being triggered and whitelist it.

 

[ratrodbikes]

@Brogan or @Live Free is there any new information on this topic? We seem to be having the same issue. I have a ticket opened with Liquid Web Support to see if they can whitelist the mode security module on the server. But any other info to track it down would be helpful.