What is mod security and how does it affect me

From MODx Wiki

Jump to: navigation, search


When you try to save a snippet, for example, in MODx manager, you might get error message something like "403 Permission Denied - You do not have permission for this request". This is usually caused by a Apache module called mod_security that is installed by your server host. mod_security can be used, among other things, to prevent some text strings to be in POST data. When you are trying to save a snippet, the php code is being passed to the server in the POST what mod_security then aborts and returns the page request with an error. To fix this issue, try the following...

Contents

[edit]

Setting filtering to allow MODx manager main source file to execute over security settings

Open your .htaccess file(s) and add the following to it. 

SecFilterEngine On
SecFilterSelective "REQUEST_URI" "/manager/index.php" "allow,nolog"

Then try if it helps. If not, continue to next stage.

[edit]

Setting filtering to allow certain things to be in POST data

If you know what string is blocking the POST data from posting (look editing resource code to find them out), open your .htaccess file(s) and add the following to it. 

SecFilterEngine On
SecFilterSelective "POST_PAYLOAD" "the-blocked-string" "allow,nolog"
SecFilterSelective "POST_PAYLOAD" "another-blocked-string" "allow,nolog"

That field supports regular expression, so you might want to setup up something (like * ;)). After you have setuped it up, try if it helps. If not, continue to next stage.

[edit]

Turning off post data filtering

If you don't know what strings are preventing you from posting or just don't care, you can try to set off post data filtering. Open your .htaccess file(s) and add the following to it. 

SecFilterScanPOST Off

Then try if it helps. If not, continue to next stage.

[edit]

Turning off SecFilterEngine altogether

If none above worked, open your .htaccess file(s) and add the following to it. 

SecFilterEngine Off

That should turn the filtering off altogether (if you have rights to do that). After that, try if it helps. If not, continue to next stage.

[edit]

Include snippet code from filesystem

If you cannot turn the filtering off, you can do a snippet that includes files from filesystem. So first, create a snippet with the name IncludeFile with the following content: 

//Check that the file is given.
if (!isset($file) || $file == "") {
 return 'No file specified.'; 
}

//Start the buffer
ob_start();

//Include file contents
include $phpfile;

//Get contents from the buffer
$ob_contents = ob_get_contents();

//Kill/delete the buffer
ob_end_clean();

//Return contents to MODx
return $ob_contents;

Then:

  • Save the resource you need to be saved in the first place in to a file.
  • FTP the file over to your webserver.
  • Create the new resource (what ever the file contains, template, snippet, etc.)
  • Put the following to the content field: 
[[IncludeFile? &file=`path/to/the/resource.php`]]

Then you resource code is included by PHP. If you don't want to use this or you have some problems using it, continue to the next stage.

[edit]

Editing resource code

If all above has failed, last resort is to identify what line and text string is causing the error and try to modify it. So start pasting the code in to manager in small chunks and save after everyone. When you get to the point where saving returns the error page, start pasting it line by line until you find the line that is causing it. Then go word by word and you'll find your magic string.

Then you need to figure out if there's a way to go around it. For example:

  • If it's some variable name, try another name for it.
  • If it's some string like Content-Type try to break it into smaller bits 'Content-'.'Type'
  • etc.
Retrieved from "http://wiki.modxcms.com/index.php/What_is_mod_security_and_how_does_it_affect_me"
Personal tools