Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-16746

403 Forbidden erros possibly caused by characters 'set'

    Details

    • Database:
      MySQL
    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE

      Description

      Four days ago certain pages started returning unexplained 403 forbidden errors. A common element seems to be the rejection of the characters 'set.' Affected items thus far include label resources, web or text page resources, assignments and some core pages that include radio button fields with 'set'.

      For items where text input is required, including text without the characters 'set' seems to work. Including 'set' characters returns a 403 error. I discovered this by inserting a few paragraphs, then indiviuals words, at a time to see what was being accepted and what wasn't since the 403 errors did not seem consistant. I tested and confirmed the rejection of the characters 'set' numerous times.

      Interestingly, I created a web page resource about 10 days ago that included several instances of 'set.' No problem at that time. Yesterday, however, when I tried to edit that same resource (simply trying to strike through a different text), I continued to receive the 403 error until I removed the originally included text phrases 'set.'

      It may be worth noting that when I click on the edit icon, I view the page: http://www.moodlesite/moodle/course/modedit.php?update=xxx&return=0, (for example) but then after trying to save/update, the 403 error indicates that we can not view page: http://www.moodlesite/moodle/course/modedit.php

      This occurs also from another page that does not allow for text input: Site Admin Block>users> permissions>define roles. This displays page: http://www.moodlesite/moodle/admin/roles/manage.php prior to selecting edit.

      After selecting edit it displays page: http://www.moodlesite/moodle/admin/roles/manage.php?action=edit&roleid=1 . Here we don't even have to make a change, we just select "Save Changes," and the 403 error appears, stating we don't have permission to view http://www.moodlesite/moodle/admin/roles/manage.php (which we were viewing before selecting the edit icon).

      What's interesting here is that while we don't input the text "set," the page is required to process 'Not Set" fields.
      One more note: This does not occur in all modules (for example 'edit course settings' or quizzes), only select ones.

      Several days prior to this problem I installed Activity Locking, ASCIImathml.js and Dragmath. For Activity Locking and Dragmath I made the recommended modifications for Moodle 1.9.2. For ASCIImathml.js I had to place the script and d.svg in the quiz folder to make it work with quizzes. I read somewhere that the core moodle tex filter doesn't work right with Debian servers (which is our host), so when I discovered this problem, I turned all the math filters off, thinking maybe they were trying to convert something (heck! I don't know!), but the 403 errors still continue...

      I would be happy to provide a user/password for you to assess the issue on our site.

      ANY suggestions would be most appreciated! We're at a stand stiil.

        Gliffy Diagrams

          Activity

          Hide
          jrily Sharon Goodson added a comment -

          This was a short ticket. We solved the problem (thus far) by adding a .htaccess file with "SecFilterEngine Off
          SecFilterScanPOST Off" in the affected folders.

          Thank you Gordon Bateson on Moodle forum for the suggestion!

          Show
          jrily Sharon Goodson added a comment - This was a short ticket. We solved the problem (thus far) by adding a .htaccess file with "SecFilterEngine Off SecFilterScanPOST Off" in the affected folders. Thank you Gordon Bateson on Moodle forum for the suggestion!
          Hide
          stronk7 Eloy Lafuente (stronk7) added a comment -

          Closing as not a bug (mod_security in action). Just for ulterior references, the discussion in moodle.org forums is:

          http://moodle.org/mod/forum/discuss.php?d=107067

          Thanks for feedback. Ciao

          Show
          stronk7 Eloy Lafuente (stronk7) added a comment - Closing as not a bug (mod_security in action). Just for ulterior references, the discussion in moodle.org forums is: http://moodle.org/mod/forum/discuss.php?d=107067 Thanks for feedback. Ciao

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                15/Oct/08