Problem with changing the userprofile (website)

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72329
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Problem with changing the userprofile (website)

Post by KevC »

You can sometimes get that sort of issue if your hosts mod_security is being a bit too enthusiastic.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Problem with changing the userprofile (website)

Post by EA117 »

3Di wrote: Mon Jan 21, 2019 2:43 pm I would like to add that, as visible from the address in the image below, in the whole phpBB code there is only one chance that this error is called into question and no other occurrence. And that's exactly what I posted above.
I'm looking at things like Symfony's AccessDeniedHttpException, and I definitely don't know enough to rule out that such a condition could be reported during processing. Due to underlying conditions occurring during internal processing, that are not uniquely or closely related to UCP profile field handling itself.

But for the issue to occur only when updating the phpbb_website profile field, and not for any other fields, it sure makes me feel like this is a big clue, for whomever knows enough to make the connection.

sander83 wrote: Mon Jan 21, 2019 1:49 pm So it must be something else
Have you viewed your database contents before, such as by using phpMyAdmin or similar to view the "raw" SQL data? Or even just generating one of the .sql dump files created by phpBB's own database backup function in ACP Maintenance, and viewing the contents of that backup file in Notepad++ or something else that is able to deal with the huge text file size.

If you can view that information, an additional thing that could be ruled out is whether there is anything non-default or non-standard about the phpbb_website profile field definition that exists on the site where you're having trouble updating the field contents. e.g. Maybe something corrupt or unexpected about the validation expression or other parameters. For example, what I think a default phpbb_website field definition would look like is this:

Code: Select all

# Table: phpbb_profile_fields
...
(6, 'phpbb_website', 'profilefields.type.url', 'phpbb_website', '40', '12', '255', '', '', '', 0, 0, 0, 0, 1, 6, 1, 1, 0, 1, 1, 1, 'VISIT_WEBSITE', '%s')
If you're seeing something different than this, post a screen shot of what you're seeing in phpMyAdmin or cut-n-paste of the line from the .sql dump file. I don't recommend trying to change anything unless we have a chance to review what the data is and might mean; even if what you see is different from what I just posted. Unless you're already very familiar with making or restoring SQL changes out from under phpBB.

It's not that "clearly this could result in a 403 response." This profile field definition data is just "one of the things unique to trying to update the web site profile field", so it feels like it deserves to be confirmed as part trying to determine the root cause for this symptom.

Separately, there is a test account awaiting approval on your site, just because I wanted to see if there was any more information that could be learned from the 403 response from the server itself.
User avatar
3Di
I've Been Banned!
Posts: 17538
Joined: Mon Apr 04, 2005 11:09 pm
Location: I'm with Ukraine 🇺🇦
Name: Marco
Contact:

Re: Problem with changing the userprofile (website)

Post by 3Di »

EA117 wrote: Mon Jan 21, 2019 3:44 pm I'm looking at things like Symfony's AccessDeniedHttpException, and I definitely don't know enough to rule out that such a condition could be reported during processing. Due to underlying conditions occurring during internal processing, that are not uniquely or closely related to UCP profile field handling itself.
The *CPs are detached from the core code (old codeing, still) so no exceptions - which usually are used in controllers.
Hence the raw trigger error which is not followed by any kind of E_USER_WARNING of sorts in this case.

Yes, probably having an account there and using the console will spot the exact cause of this issue, if an issue it is at all.
To be honest it is the first time I am seeing this.
🆓 Free support for our extensions also provided here: phpBB Studio
🚀 Looking for a specific feature or alternative option? We will rock you!
Please PM me only to request paid works. Thx. Buy me a coffee -> Image
My development's activity º PhpStorm's proud user º Extensions, Scripts, MOD porting, Update/Upgrades
sander83
Registered User
Posts: 9
Joined: Sat Jan 19, 2019 2:25 pm

Re: Problem with changing the userprofile (website)

Post by sander83 »

activated that test account,

In the DBname_Profile_field
There is the entry for the website:
6,"phpbb_website","profilefields.type.url","phpbb_website","40","12","255",,,,"0","0","0","0","1","6","1","1","0","1","1","1","VISIT_WEBSITE","%s"
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Problem with changing the userprofile (website)

Post by EA117 »

sander83 wrote: Mon Jan 21, 2019 5:33 pm activated that test account,

In the DBname_Profile_field
There is the entry for the website:
6,"phpbb_website","profilefields.type.url","phpbb_website","40","12","255",,,,"0","0","0","0","1","6","1","1","0","1","1","1","VISIT_WEBSITE","%s"
Thanks for the account activation. Nothing about that phpbb_website profile field data looks unexpected.

Unfortunately no additional clues seen from the server's 403 response. Appears to be the web server's configured 403 error document, as would be normal for a 403 reported by the web server itself. It did not happen to be some 403 HTTP-level status but with additional PHP- or phpBB-specific data returned.

KevC suggested it could be mod_security thinking its protecting you from something. For that reason and maybe additional 403-related condition data that might be reported in general, are you able to see the web server's error log, and does it generate any interesting information during these events? We're talking about an error log of the web server or the hosting server itself, and not phpBB's own application-specific logging visible from the ACP Maintenance tab.

Just still searching for additional clues.

Code: Select all

Hypertext Transfer Protocol
    HTTP/1.1 403 Forbidden\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 403 Forbidden\r\n]
            [HTTP/1.1 403 Forbidden\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Response Version: HTTP/1.1
        Status Code: 403
        [Status Code Description: Forbidden]
        Response Phrase: Forbidden
    Server: nginx\r\n
    Date: Mon, 21 Jan 2019 17:13:56 GMT\r\n
    Content-Type: text/html\r\n
    Content-Length: 1024\r\n
        [Content length: 1024]
    Connection: keep-alive\r\n
    Last-Modified: Wed, 08 Mar 2017 15:34:00 GMT\r\n
    ETag: "400-54a39db88f85b"\r\n
    Accept-Ranges: bytes\r\n
    \r\n
    [HTTP response 1/1]
    [Time since request: 0.141962000 seconds]
    [Request in frame: 69]
    File Data: 1024 bytes
Line-based text data: text/html (33 lines)
    <HTML>\n
    <HEAD>\n
    <TITLE>403 Forbidden</TITLE>\n
    <BASE href="/error_docs/"><!--[if lte IE 6]></BASE><![endif]-->\n
    </HEAD>\n
    <BODY>\n
    <H1>Forbidden</H1>\n
    You do not have permission to access this document.\n
    <P>\n
    <HR>\n
    <ADDRESS>\n
    Web Server at n-spoorforum.nl\n
    </ADDRESS>\n
    </BODY>\n
    </HTML>\n
    \n
    <!--\n
       - Unfortunately, Microsoft has added a clever new\n
       - "feature" to Internet Explorer. If the text of\n
       - an error's message is "too small", specifically\n
       - less than 512 bytes, Internet Explorer returns\n
       - its own error message. You can turn that off,\n
       - but it's pretty tricky to find switch called\n
       - "smart error messages". That means, of course,\n
       - that short error messages are censored by default.\n
       - IIS always returns error messages that are long\n
       - enough to make Internet Explorer happy. The\n
       - workaround is pretty simple: pad the error\n
       - message with a big comment like this to push it\n
       - over the five hundred and twelve bytes minimum.\n
       - Of course, that's exactly what you're reading\n
       - right now.\n
       -->\n
EVO_VV
Registered User
Posts: 55
Joined: Tue Feb 13, 2018 3:11 pm

Re: Problem with changing the userprofile (website)

Post by EVO_VV »

Not sure if it will be the same in Nginx but in Apache the mod_security log file is called modsec_audit.log

I have noted that not all of the errors blocked and reported in that file appear in the normal Apache error logs.

If the 403 is coming from mod_security, it should be logged in that file and will give an indication of what it objected to.

The entries (from the free version) in there look like this :-

Code: Select all

--d5df4c28-A--
[22/Jan/2019:06:26:58 +0100] XEapohE174MvzfMhlXQqWwAAAEw 85.115.60.201 45777 xxx.xxx.xxx.xxx 80
--d5df4c28-B--
GET / HTTP/1.1
User-Agent: curl/7.16.4 (x86_64-pc-linux-gnu) libcurl/7.16.4 OpenSSL/0.9.8o zlib/1.2.3
Host: example.com
Pragma: no-cache
Accept: */*
Via: 1.1 hosted.websense 26d
X-Forwarded-For: 94.23.238.218
Client-IP: 94.23.238.218

--d5df4c28-F--
HTTP/1.1 403 Forbidden
Content-Length: 209
Content-Type: text/html; charset=iso-8859-1

--d5df4c28-H--
Message: Access denied with code 403 (phase 2). String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "399"] [id "960020"] [rev "2"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1548134818955753 1634 (- - -)
Stopwatch2: 1548134818955753 1634; combined=158, p1=124, p2=20, p3=0, p4=0, p5=14, sr=36, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.29 (Unix) OpenSSL/1.0.1e-fips
Engine-Mode: "ENABLED"

--d5df4c28-Z--
The [id "960020"] tells you exactly which rule was invoked
sander83
Registered User
Posts: 9
Joined: Sat Jan 19, 2019 2:25 pm

Re: Problem with changing the userprofile (website)

Post by sander83 »

Checked the logs. it seems to come indeed from the mod_security.

Message in the error_log

ModSecurity: Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "1650"] [id "33340686"] [rev "4"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS"] [severity "CRITICAL"]
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Problem with changing the userprofile (website)

Post by EA117 »

So KevC nailed it, and a rule from "50_plesk_basic_asl_rules.conf" is blocking this POST attempt because it contains "http://" in one of the POST arguments.

That is something you will have to discuss with your hosting support, to see if they are willing to add the pf_phpbb_website argument of phpBB's ucp.php module to the list of excluded application module arguments this check will be made against. Since "http://" is actually expected in the POST arguments for this module.

(Technically the arguments here can be admin-defined, and "http://" could end up being expected in other arguments of ucp.php, too, for argument names we can't predict in advance. But perhaps one battle at a time, and wait to ask for a greater exception only if and when this scenario actually applies to you.)

The process to make the exception at their end is presumably along the lines of what's described here:
https://wiki.atomicorp.com/wiki/index.p ... pplication
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Problem with changing the userprofile (website)

Post by david63 »

If you have Plesk then you have the facility to turn off mod_security rules
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
sander83
Registered User
Posts: 9
Joined: Sat Jan 19, 2019 2:25 pm

Re: Problem with changing the userprofile (website)

Post by sander83 »

The host party is looking in to this.. thanks for the help so far.

Sadly we need the mod security for other stuff so turning that off wont help
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Problem with changing the userprofile (website)

Post by Lumpy Burgertushie »

he didn't say turn off mod_security, he said turn off mod_security rules.

two different things.

the hoster/you can set whatever rules you want to trigger the mod_security.

many times a host will simply install it on their server without ever looking to see what the
level of strictness is. when that happens unexpected results can happen.

a simple word that is not and could not be a security threat can shut down your site etc.

robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
Post Reply

Return to “[3.2.x] Support Forum”