403 (Forbidden) Error AJAX Request

Status
Not open for further replies.

staffing

New Member
Messages
18
Reaction score
0
Points
1
I understand that you've updated the mod rewrite for the Apache servers to limit spamming, but my website no longer functions accordingly, certain functions I am limited to producing due to this issue. I can now no longer use ajax requests to update certain SQL queries, however at the same time I'm still able to do so for other functions on my webpage, is there a way that I can get around this somehow?

I've attempted to use this to solve the issue however that did not help me:
Code:
<ifmodule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</ifmodule>
 
Last edited:

leafypiggy

Manager of Pens and Office Supplies
Staff member
Messages
3,819
Reaction score
163
Points
63
You *REALLY* shouldn't be pushing SQL in an ajax request.

That is entirely insecure, and is the reason things like ModSecurity exist.
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
You *REALLY* shouldn't be pushing SQL in an ajax request.

That is entirely insecure, and is the reason things like ModSecurity exist.
I think he means placing a string within a SQL query for uses such as searching and changing a value for a certain account (not a full query).
 

staffing

New Member
Messages
18
Reaction score
0
Points
1
I think he means placing a string within a SQL query for uses such as searching and changing a value for a certain account (not a full query).
Yes that's what I mean, doing updates for some functions work while others dont, and Inserts in genera don't work at all
 

leafypiggy

Manager of Pens and Office Supplies
Staff member
Messages
3,819
Reaction score
163
Points
63
Can I have an example URI?
 

staffing

New Member
Messages
18
Reaction score
0
Points
1
Can I have an example URI?
This is a result of the mod security update on Free Hosting Services
If you have any issues on your website or issues accessing your website please open a thread on the free hosting forum so we can investigate. The mod security rules should be showing a 403 if you inadvertently trigger a rule but it may not in some cases so please report to the forums just in case
I use this code to create ajax requests for certain forms/functions:
Code:
 //Ajax post data to server
            $.post('update.php?action=<?php echo($edit); ?>', post_data, function (response) {

                //load json data from server and output message    
                if (response.type == 'error') {
Depending on the certain action variable the code won't work
 

Dead-i

x10Hosting Support Ninja
Community Support
Messages
6,084
Reaction score
368
Points
83
Hi,

What is the typical value of the "action=" parameter in the request ($edit)?

Please could you also provide an example of the data sent in the POST request (post_data)? :)

Thank you,
 

staffing

New Member
Messages
18
Reaction score
0
Points
1
Hi,

What is the typical value of the "action=" parameter in the request ($edit)?

Please could you also provide an example of the data sent in the POST request (post_data)? :)

Thank you,
The typical values are either 'location', 'employee','edit', or 'fill' (Edit and Fill function appropriately)
Data sent in the POST for location and employee (this is me editing a table/UPDATing it)
Code:
post_data = {'code': <?php echo('"'.$code.'"'); ?>, 'fname': John, 'sname': Doe, 'gender': Male, 'check1': true, 'check2': true, 'check3': false, 'type': APPT, 'tnum': 304, 'number': (123)-345-3859, 'alternate': NULL, 'street': 123 Address Lane, 'postal': postal_code, 'city': cityland, 'majint': majint, 'comments': comments};
 

Bryon

I Fix Things
Messages
8,149
Reaction score
101
Points
48
Hi Staffing, can you reproduce the problem for me and make a note of the approximate time you receive the error? Let me know that time, including the timezone so I can relate it to the server logs. This will help us narrow down the cause of mod_security blocking the request and hopefully get a solution in place for you.
 

staffing

New Member
Messages
18
Reaction score
0
Points
1
Hi Staffing, can you reproduce the problem for me and make a note of the approximate time you receive the error? Let me know that time, including the timezone so I can relate it to the server logs. This will help us narrow down the cause of mod_security blocking the request and hopefully get a solution in place for you.
I've reproduced the error at 10:11 PM EST (Residing in Toronto, Ontario - Canada)
 

Bryon

I Fix Things
Messages
8,149
Reaction score
101
Points
48
Hi, thank you for your reply and the information. I've retrieved the exact cause of the error. We're going to need to investigate this further to correct the mod_security rule at fault. This may take a day or so with the holiday. We'll get you an update soon regarding this, I am expecting that we will be able to correct this while keeping the protection of the mod_security rule for your account.
 

staffing

New Member
Messages
18
Reaction score
0
Points
1
Hi, thank you for your reply and the information. I've retrieved the exact cause of the error. We're going to need to investigate this further to correct the mod_security rule at fault. This may take a day or so with the holiday. We'll get you an update soon regarding this, I am expecting that we will be able to correct this while keeping the protection of the mod_security rule for your account.
Alright thank you, I'm looking forward to your solution
 

leafypiggy

Manager of Pens and Office Supplies
Staff member
Messages
3,819
Reaction score
163
Points
63
Hi Staffing,

I am looking into this over the weekend. Due to our custom implementation of how we handle mapping domain names to folders on the server, we cannot you any of the pre-built ModSecurity "management" tools, so I'm working on a custom solution that we'll hopefully be able to expose to the end user so they can manage it themselves.

I will update you later today or tomorrow (Maybe Sunday) when I have done more research on this.
 

staffing

New Member
Messages
18
Reaction score
0
Points
1
Hi Staffing,

I am looking into this over the weekend. Due to our custom implementation of how we handle mapping domain names to folders on the server, we cannot you any of the pre-built ModSecurity "management" tools, so I'm working on a custom solution that we'll hopefully be able to expose to the end user so they can manage it themselves.

I will update you later today or tomorrow (Maybe Sunday) when I have done more research on this.
I wanted to know if you've had any recent updates regarding this issue? Thank you
 

Corey

I Break Things
Staff member
Messages
34,553
Reaction score
204
Points
63
Is this a custom script? I've looked at the specific rule being triggered and the logs, while I have an idea of what is triggering the rule it would be good to be able to reproduce this issue. Is it possible you can PM or email me a login and instructions on reproducing one of the errors?

What I'm trying not to do is write a ton of exceptions for each and every script with an issue as we'll just end up with hundreds of unmanageable exceptions and extra rules. If I can reproduce this on demand I can see if I can tweak the rules a bit to allow this specific use case through while not creating additional exceptions or separate rules.
 

staffing

New Member
Messages
18
Reaction score
0
Points
1
Is this a custom script? I've looked at the specific rule being triggered and the logs, while I have an idea of what is triggering the rule it would be good to be able to reproduce this issue. Is it possible you can PM or email me a login and instructions on reproducing one of the errors?

What I'm trying not to do is write a ton of exceptions for each and every script with an issue as we'll just end up with hundreds of unmanageable exceptions and extra rules. If I can reproduce this on demand I can see if I can tweak the rules a bit to allow this specific use case through while not creating additional exceptions or separate rules.
I've messaged you and explained how to reproduce the error, thank you!
 
Status
Not open for further replies.
Top