What is mod security and how does it affect me

From MODx Wiki
Jump to: navigation, search

When you try to save a snippet, for example, in the MODx manager, you might get an error message something like "403 Permission Denied - You do not have permission for this request". This is usually caused by an Apache module called mod_security that is installed by your server host. mod_security can be used, among other things, to prevent some text strings being in POST data. When you are trying to save a snippet, the php code is being passed to the server in the POST. mod_security, on finding a banned string, aborts and returns the page request with an error. To fix this issue, try the following:

Contents

Setting filtering to allow MODx manager main source file to execute over security settings

Open your .htaccess file(s) and add the following to it.

SecFilterEngine On
SecFilterSelective "REQUEST_URI" "/manager/index.php" "allow,nolog"

Then try if it helps. If not, continue to next stage.

Setting filtering to allow certain things to be in POST data

If you know what string is blocking the POST data from posting (look editing resource code to find them out), open your .htaccess file(s) and add the following to it.

SecFilterEngine On
SecFilterSelective "POST_PAYLOAD" "the-blocked-string" "allow,nolog"
SecFilterSelective "POST_PAYLOAD" "another-blocked-string" "allow,nolog"

That field supports regular expression, so you might want to setup up something (like * ;)). After you have setuped it up, try if it helps. If not, continue to next stage.

Turning off post data filtering

If you don't know what strings are preventing you from posting or just don't care, you can try to set off post data filtering. Open your .htaccess file(s) and add the following to it.

SecFilterScanPOST Off

Then try if it helps. If not, continue to next stage.

Turning off SecFilterEngine altogether

If none above worked, open your .htaccess file(s) and add the following to it.

SecFilterEngine Off

That should turn the filtering off altogether (if you have rights to do that). After that, try again to see if it helps. If not, continue to next stage.

Turning off SecFilterEngine altogether

If none above worked, open your .htaccess file(s) and add the following to it.

SecFilterEngine Off

That should turn the filtering off altogether (if you have rights to do that). After that, try again to see if it helps. If not, continue to next stage.

Include snippet code from filesystem

If you cannot turn the filtering off, you can do a snippet that includes files from filesystem. So first, create a snippet with the name IncludeFile with the following content:

  1. //Check that the file is given.
  2. if (!isset($file) || $file == "") {
  3. return 'No file specified.';
  4. }
  5.  
  6. //Start the buffer
  7.  
  8. //Include file contents
  9. include $phpfile;
  10.  
  11. //Get contents from the buffer
  12. $ob_contents = ob_get_contents();
  13.  
  14. //Kill/delete the buffer
  15.  
  16. //Return contents to MODx
  17. return $ob_contents;

Then:

  • Save the resource you need to be saved in the first place in to a file.
  • FTP the file over to your webserver.
  • Create the new resource (what ever the file contains, template, snippet, etc.)
  • Put the following into the content field:
[[IncludeFile? &file=`path/to/the/resource.php`]]

Then your resource code is included by PHP. If you don't want to use this or you have some problems using it, continue to the next stage.

Editing resource code

If all above has failed, last resort is to identify what line and text string is causing the error and try to modify it. So start pasting the code in to manager in small chunks and save after everyone. When you get to the point where saving returns the error page, start pasting it line by line until you find the line that is causing it. Then go word by word and you'll find your magic string.

Then you need to figure out if there's a way to go around it. For example:

  • If it's some variable name, try another name for it.
  • If it's some string like Content-Type try to break it into smaller bits 'Content-'.'Type'
  • etc.
Personal tools