Moodle
  1. Moodle
  2. MDL-16746

403 Forbidden erros possibly caused by characters 'set'

    Details

    • Database:
      MySQL
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE
    • Rank:
      24270

      Description

      Four days ago certain pages started returning unexplained 403 forbidden errors. A common element seems to be the rejection of the characters 'set.' Affected items thus far include label resources, web or text page resources, assignments and some core pages that include radio button fields with 'set'.

      For items where text input is required, including text without the characters 'set' seems to work. Including 'set' characters returns a 403 error. I discovered this by inserting a few paragraphs, then indiviuals words, at a time to see what was being accepted and what wasn't since the 403 errors did not seem consistant. I tested and confirmed the rejection of the characters 'set' numerous times.

      Interestingly, I created a web page resource about 10 days ago that included several instances of 'set.' No problem at that time. Yesterday, however, when I tried to edit that same resource (simply trying to strike through a different text), I continued to receive the 403 error until I removed the originally included text phrases 'set.'

      It may be worth noting that when I click on the edit icon, I view the page: http://www.moodlesite/moodle/course/modedit.php?update=xxx&return=0, (for example) but then after trying to save/update, the 403 error indicates that we can not view page: http://www.moodlesite/moodle/course/modedit.php

      This occurs also from another page that does not allow for text input: Site Admin Block>users> permissions>define roles. This displays page: http://www.moodlesite/moodle/admin/roles/manage.php prior to selecting edit.

      After selecting edit it displays page: http://www.moodlesite/moodle/admin/roles/manage.php?action=edit&roleid=1 . Here we don't even have to make a change, we just select "Save Changes," and the 403 error appears, stating we don't have permission to view http://www.moodlesite/moodle/admin/roles/manage.php (which we were viewing before selecting the edit icon).

      What's interesting here is that while we don't input the text "set," the page is required to process 'Not Set" fields.
      One more note: This does not occur in all modules (for example 'edit course settings' or quizzes), only select ones.

      Several days prior to this problem I installed Activity Locking, ASCIImathml.js and Dragmath. For Activity Locking and Dragmath I made the recommended modifications for Moodle 1.9.2. For ASCIImathml.js I had to place the script and d.svg in the quiz folder to make it work with quizzes. I read somewhere that the core moodle tex filter doesn't work right with Debian servers (which is our host), so when I discovered this problem, I turned all the math filters off, thinking maybe they were trying to convert something (heck! I don't know!), but the 403 errors still continue...

      I would be happy to provide a user/password for you to assess the issue on our site.

      ANY suggestions would be most appreciated! We're at a stand stiil.

        Activity

        Hide
        Sharon Goodson added a comment -

        This was a short ticket. We solved the problem (thus far) by adding a .htaccess file with "SecFilterEngine Off
        SecFilterScanPOST Off" in the affected folders.

        Thank you Gordon Bateson on Moodle forum for the suggestion!

        Show
        Sharon Goodson added a comment - This was a short ticket. We solved the problem (thus far) by adding a .htaccess file with "SecFilterEngine Off SecFilterScanPOST Off" in the affected folders. Thank you Gordon Bateson on Moodle forum for the suggestion!
        Hide
        Eloy Lafuente (stronk7) added a comment -

        Closing as not a bug (mod_security in action). Just for ulterior references, the discussion in moodle.org forums is:

        http://moodle.org/mod/forum/discuss.php?d=107067

        Thanks for feedback. Ciao

        Show
        Eloy Lafuente (stronk7) added a comment - Closing as not a bug (mod_security in action). Just for ulterior references, the discussion in moodle.org forums is: http://moodle.org/mod/forum/discuss.php?d=107067 Thanks for feedback. Ciao

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: