SOLVED Posting the word "get" in forms results in 403 error on Passenger website

[Fabius]

I have a Django (python) website that's working fine using Passenger. All good!

Except for one very strange thing - if I have a form with a textarea and I submit text like this:

test
get test

then I get a 403 Forbidden error. To generate the error:

• The form can use GET or POST method
• The word "get" must start a new line, but not the first one
• The word "get" must be followed by a space (and optionally more text)
• The word "get" can be replaced by any other HTTP method name, in any case ("POST", "Put", etc)
• The form can just be a GET form to its own URL, on a static page, so it's not being processed by Django
• In fact I don't even need the form itself - I can append this query string to any URL to generate the error: ?test=foo%0D%0Aget+foo

I'm very puzzled! It means I can't input any lines in any textarea that starts with an HTTP method name. Bizarre.

I feel this must be something that Passenger is catching something it thinks is problematic but I've no idea how to stop it.

 

[cPRex]

Hey there! Do you have ModSecurity enabled on the machine? If so, do you see anything in the Apache logs when this error happens?

 

[Fabius]

Hi! Yes, ModSecurity appears to be enabled for this domain. Here's a line from the logs from when I added that query string:

92.41.4.241 - - [03/Feb/2023:06:47:57 -0500] "GET /?test=foo%0D%0Aget+foo HTTP/2.0" 403 543 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15"

 

[cPRex]

If you disable ModSecurity, are you able to post normally?

 

[Fabius]

Yes, turning off ModSecurity means it works!

So, why is that? Is there a way to enable ModSecurity without it doing... whatever it is it's doing here?

 

[quietFinn]

You can find the rule id in ModSecurity log (/etc/apache2/logs/modsec_audit.log), and then add an exception to disable that rule for the domain in question.
I use ConfigServer ModSecurity Control for that.

 

[Fabius]

My server doesn't have a /etc/apache2/logs/modsec_audit.log.

/etc/apache2/logs leads to /usr/local/apache/domlogs but I don't have permission to see what's in there.

 

[quietFinn]

You need root access to be able to see that file.

 

[cPRex]

@Fabius - if you don't have root access, you can ask your host if they can check the log and adjust that rule for you.

 

[Fabius]

Thanks both. I got in touch with the hosting service and they were able to look in the logs and disable the offending rule. It now all works!

The only downside is they didn't tell us what the rule was, so we'll never know.

 

[cPRex]

I'm glad they were able to help with that!