Site stopped working with https?

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
runewolf
Registered User
Posts: 5
Joined: Mon Jun 24, 2019 11:59 am

Site stopped working with https?

Post by runewolf » Mon Jun 24, 2019 12:13 pm

Hello,
I have a strange issue. Our site has been running fine until friday evening. Something happened while I was out of town and had no access to the internet to fix it, so all I could do is call support at my host and have them reboot my server. They said Cpanel had updated and needed a restart. Now my site is back up and https works on the main site. However, when I try accessing the forums using https, I either get the page with no template or a 404 error on the index.php. the forums work if I remove the "s" out of https. As far as I can tell comparing a backup, nothing has changed in the file structure or htaccess files.

Running phpBB3 3.2.5
Mysql 10.0.38-MariaDB
PHP Version 5.6.40
cPanel Version 80.0 (build 18)


website https: https://www.garrisoncorellia.com/phpBB3/index.php
website non-https: http://www.garrisoncorellia.com/phpBB3/index.php

User avatar
</Solidjeuh>
Registered User
Posts: 1611
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: Site stopped working with https?

Post by </Solidjeuh> » Mon Jun 24, 2019 12:32 pm

It seems lots of scripts are blocked with https

Image
Register a free account & Play!!
~~~ https://www.solidjeuh.be ~~~
Have a secret? --> https://www.tellyoursecrets.eu

BeBop
Registered User
Posts: 43
Joined: Tue Sep 05, 2017 1:07 pm

Re: Site stopped working with https?

Post by BeBop » Mon Jun 24, 2019 1:01 pm

Dear runewollf we have a similar problem might I ask if you are hosted by UK2 please?

Thank you in advance.

Kimd Regards BeBop

runewolf
Registered User
Posts: 5
Joined: Mon Jun 24, 2019 11:59 am

Re: Site stopped working with https?

Post by runewolf » Mon Jun 24, 2019 1:04 pm

No I'm with another host.

runewolf
Registered User
Posts: 5
Joined: Mon Jun 24, 2019 11:59 am

Re: Site stopped working with https?

Post by runewolf » Mon Jun 24, 2019 2:39 pm

Ok seem to have it back up and working now. What we found was a ModSecurity rule causing issues. once it was whitelisted everything seems to be working fine.


ModSec number 211290
Request:
GET /phpBB3/index.php
Action Description:
Access denied with code 403 (phase 2).
Justification:
Pattern match "(?:'\\xbf?\\x22|\\x22\\xbf?'|^\\+?$)" at REQUEST_COOKIES:phpbb3_9ag8z_k.

Hope that helps others.

runewolf
Registered User
Posts: 5
Joined: Mon Jun 24, 2019 11:59 am

Re: Site stopped working with https?

Post by runewolf » Mon Jun 24, 2019 6:11 pm

I wish I could post the ruleset that caused the issue. But since it was generated by ModSecurity, the window where you would create the rule will not let you copy and paste what is inside the box. I could do a screen capture if that would help anyone here.

User avatar
EA117
Registered User
Posts: 641
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Site stopped working with https?

Post by EA117 » Mon Jun 24, 2019 6:32 pm

Sure, it wouldn't hurt to see more information. The log report of "Pattern match (?:'\\xbf?\\x22|\\x22\\xbf?'|^\\+?$)" already seemed pretty specific.

But on other sites having this same "cookies need to be cleared in order to not get 403" issue, the "k" cookie value isn't even set yet, and they're still getting 403. Meaning there isn't anything about the "k" cookie value, nor even the entire cookie string, that would logically "Pattern match (?:'\\xbf?\\x22|\\x22\\xbf?'|^\\+?$)".

So I've been assuming "it must be a different rule than the one runewolf encountered with a "Pattern match (?:'\\xbf?\\x22|\\x22\\xbf?'|^\\+?$)", but maybe seeing more details about the rule would illuminate things further.

So yeah, if you're able to show a screen shot of whatever rule you had to change or disable, it would be interesting to see and hopefully better understand why phpBB boards are being somewhat "exclusively" affected here.

runewolf
Registered User
Posts: 5
Joined: Mon Jun 24, 2019 11:59 am

Re: Site stopped working with https?

Post by runewolf » Tue Jun 25, 2019 12:02 pm

Sorry for the delay. here is a screen cap of the mod sec rule. My host just added my site to the whitelist for it apparently. On my end I had the option to turn it off.

Image

User avatar
EA117
Registered User
Posts: 641
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Site stopped working with https?

Post by EA117 » Tue Jun 25, 2019 2:22 pm

Thank you runewolf, appreciate the additional information. To my eye this still indicates that the rule engaged at REQUEST_COOKIES:phpbb3_9ag8z_k in your case, because the regular expression (?:'\\xbf?\\x22|\\x22\\xbf?'|^\\+?$) matched against that cookie. So I'm assuming that we don't see the cookie value that was present, and it actually could potentially match one or more of those three patterns.

It's not clear that this is actually true, because other users (and other boards I personally visited affected by this issue) were being denied even though the phpBB "k" cookie didn't have a value at all yet. i.e. First time visit, and no logged-in information could be saved yet. So it makes me wonder whether this isn't some kind of rule enforcement bug rather than a legitimate match.

But yours is the only one we were able to see the denial logging entry for thus far. So it's also possible the logs in those other cases might be reporting something other than "ModSec number 211290" as the reason for their denial. So its hard to draw a more definitive conclusion without seeing evidence from these other affected users.

For what it's worth, further updates to the false-positive report made on the Comodo public list confirm that other applications such as Web Host Manager, Wordpress and Opencart are being affected by this rule too; not just phpBB.

Thanks for your help in trying to better understand the issue that was affecting phpBB users here. The solution for now is certainly for a user or their hosting provider to disable this mod_security rule until Comodo comes to some conclusion as to how to prevent the false-positives.


Code: Select all

SecRule REQUEST_URI|ARGS_POST|ARGS_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:keyword|!ARGS_POST:wpEditToken "@rx (?:'\\xbf?\\x22|\\x22\\xbf?'|^\\+?$)" \
   "id:211290,msg:'COMODO WAF: XSS and SQLi vulnerability||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeWhitespace,rev:3,severity:2,tag:'CWAF',tag:'Generic'"

Post Reply

Return to “[3.2.x] Support Forum”