403 Forbidden

  • OK, I've managed to get a broken Perch installation working again by re-uploading and overwriting the perch core folder with v2.8.34

    I can log in and I can upload assets to the resources folder.


    I have tried to edit a post, but every time I click 'save', I get a 403 Forbidden error.

    I can't see what is causing this. Is there something missing or what do I need to make permissions changes to?


    Thanks in advance for any help.

  • drewm

    Approved the thread.
  • Found this, but I'm still no nearer to working out the problem!


    =================================

    Code
    1. [Wed Sep 18 09:34:53.909995 2019] [php7:warn] [pid 3462] [client 127.0.0.1:60432] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /srv/web/kingsthorpegrove.northants.sch.uk/www/html/easicms/core/lib/PerchFieldTypes.class.php on line 69, referer: http://www.kingsthorpegrove.northants.sch.uk/easicms/core/apps/content/page/?id=31
    2. [Wed Sep 18 09:35:00.205823 2019] [:error] [pid 13465] [client 127.0.0.1:60530] [client 127.0.0.1] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: upgrade-insecure-requests found within ARGS:perch_26_text: <p><span style=\\x22line-height: 1.6em;\\x22>KS1 tests - video for parents -\\xa0</span><a href=\\x22https://youtu.be/M8MjPFWRQs0\\x22 rel=\\x22nofollow\\x22 style=\\x22margin: 0px; padding: 0px; outline: 0px; border: 0px currentColor; border-image: none; color: rgb(215, 59, 75); line-height: 20.8px; font-family: Tahoma, Arial, Helvetica, sans-serif; text-decoration: none; vertical-align: baseline;\\x22>https://youtu.be/M8MjPFWRQs0</a></p>\\x..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [hostname "www.kingsthorpegrove.northants.sch.uk"] [uri "/easicms/core/apps/content/edit/"] [unique_id "XYHsNGFL8XM62zyoffC0NAAAAAg"], referer: http://www.kingsthorpegrove.northants.sch.uk/easicms/core/apps/content/edit/?id=30
    3. [Wed Sep 18 09:35:00.206999 2019] [:error] [pid 13465] [client 127.0.0.1:60530] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)<[^\\\\w<>]*(?:[^<>\\"'\\\\s]*:)?[^\\\\w<>]*(?:\\\\W*?s\\\\W*?c\\\\W*?r\\\\W*?i\\\\W*?p\\\\W*?t|\\\\W*?f\\\\W*?o\\\\W*?r\\\\W*?m|\\\\W*?s\\\\W*?t\\\\W*?y\\\\W*?l\\\\W*?e|\\\\W*?s\\\\W*?v\\\\W*?g|\\\\W*?m\\\\W*?a\\\\W*?r\\\\W*?q\\\\W*?u\\\\W*?e\\\\W*?e|(?:\\\\W*?l\\\\W*?i\\\\W*?n\\\\W*?k|\\\\W*?o\\\\W*?b\\\\W*?j\\\\W*?e\\ ..." at ARGS:perch_26_text. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "236"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <p><span style=\\x22line-height: 1.6em;\\x22>KS1 tests - video for parents -\\xa0</span><a href=\\x22https://youtu.be/M8MjPFWRQs0\\x22 rel=\\x22nofollow\\x22 style=\\x22margin: 0px; padding: 0px; outline: 0px; border: 0px currentColor; border-image: none; color: rgb(215, 59, 75); line-height: 20.8px; font-family: Tahoma, Arial, Helvetica, sans-serif; text-decoration: none; vertical-align: baseline;\\x22>https://youtu.be/M8MjPFWRQs0</a></p>\\x0d\\x0a\\x0d\\x0a<p>KS 2 tests - video for parents -\\xa0<a hre..."] [severity "CRITICAL"] [ [hostname "www.kingsthorpegrove.northants.sch.uk"] [uri "/easicms/core/apps/content/edit/"] [unique_id "XYHsNGFL8XM62zyoffC0NAAAAAg"], referer: http://www.kingsthorpegrove.northants.sch.uk/easicms/core/apps/content/edit/?id=30
    4. [Wed Sep 18 09:35:00.208820 2019] [:error] [pid 13465] [client 127.0.0.1:60530] [client 127.0.0.1] ModSecurity: Rule 7f1d3f955690 [id "941350"][file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "737"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.kingsthorpegrove.northants.sch.uk"] [uri "/easicms/core/apps/content/edit/"] [unique_id "XYHsNGFL8XM62zyoffC0NAAAAAg"], referer: http://www.kingsthorpegrove.northants.sch.uk/easicms/core/apps/content/edit/?id=30
    5. [Wed Sep 18 09:35:00.211155 2019] [:error] [pid 13465] [client 127.0.0.1:60530] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.kingsthorpegrove.northants.sch.uk"] [uri "/easicms/core/apps/content/edit/"] [unique_id "XYHsNGFL8XM62zyoffC0NAAAAAg"], referer: http://www.kingsthorpegrove.northants.sch.uk/easicms/core/apps/content/edit/?id=30
    6. [Wed Sep 18 09:35:00.211339 2019] [:error] [pid 13465] [client 127.0.0.1:60530] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=10,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection"] [tag "event-correlation"] [hostname "www.kingsthorpegrove.northants.sch.uk"] [uri "/easicms/core/apps/content/edit/"] [unique_id "XYHsNGFL8XM62zyoffC0NAAAAAg"], referer: http://www.kingsthorpegrove.northants.sch.uk/easicms/core/apps/content/edit/?id=30

    =================================

  • If you're getting that while editing content in the CMS i would tend to suggest the text editor is not properly sanitizing the input text. Try with a different editor, change the editor attribut on the textarea field and see if you get the same issue.


    First though, check the HTML source of your text editor input to see if there is any wierd markup. I suspect there may be and this is what would be triggering modsec delivering the 403.


    If you do have wierd html in the source, scan your computer, disable browser extentions and see if that fixes the issue. I've seen an issue simlar like this before (not with perch though) where someone had installed aparently "inadvertanly" as browser extension that was injecting iframes to porn sites in their realestate listing page.