Hann Code 403 Error Code

[OllieMackJames]

When I access hanna code and try to save something I get a "403 Forbidden Access to this resource on the server is denied!" error.

I am on a centos litespeed VPS with latest pw and latest hanna code module
 

Anybody have any ideas?

 

[teppo]

In most cases (probably all I've heard of so far) this type of issue is caused by the security settings on the host, mod_security (ModSecurity) module, etc.

LiteSpeed apparently has its own WAF feature, so that's probably where I'd start digging into this; is something like that enabled, have you recently made any changes on the host, or could the host have been updated by someone else? Has this worked before?

[OllieMackJames]

@teppo thanks for your thoughts.

This has worked before, and fortunately the code still works, but when I try to change anything and save, it throws this error.

I changed VPS recently and moved from freebsd to centos with litespeed and different security settings on the host than before, so this must indeed be the problem.

The error screen indeed shows litespeed at the bottom, so it seems like a server thing rather than a processwire thing.

Now the big question is what do I need to change where so it will work again.

What is it in Hanna Code that triggers WAF, any ideas?

Thanks again teppo.
 

[teppo]

13 minutes ago, OllieMackJames said:

What is it in Hanna Code that triggers WAF, any ideas?

It's not so much about Hanna Code specifically, but rather posting (obvious) code via any web form. ModSecurity and different WAF implementations may detect this and assume malicious intent, which is problematic here since we actually want (authenticated) users to be able to post code.

The easiest thing to do would be disabling this feature altogether, either globally or at htaccess level for a specific site. I'm not familiar with this solution so I've no idea if there's some way to keep it on for most users and/or just disable parts of it, but you may find more about that from the LiteSpeed manual.

Edit: at least in Apache you can wrap <IfModule></IfModule> with <Directory /some/path/on/disk/></Directory>, which might help to selectively disable this feature. And it's also possible to check if a cookie exists, in which case you could sniff for a "wires" cookie first, though I've never tested this in practice and don't know if those will work together.

Edited February 15, 2020 by teppo

[adrian]

I'd run this check to see if mod_sec is running first and if so, then you can figure out how to disable it.

[Macrura]

I have a hosting account that runs litespeed, and i use this snippet in the .htaccess, which was recommended by Ryan.

<IfModule security2_module>
    # Allow ModSec rule processsing without disruptive action
    SecRuleEngine DetectionOnly
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

 

 

[OllieMackJames]

3 hours ago, Macrura said:

I have a hosting account that runs litespeed, and i use this snippet in the .htaccess, which was recommended by Ryan.

<IfModule security2_module>
    # Allow ModSec rule processsing without disruptive action
    SecRuleEngine DetectionOnly
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

 

 

Thanks @Macrura unfortunately that did not work for me, where did you put this in your htaccess?

Thanks

[Macrura]

I put it as first thing

[OllieMackJames]

12 hours ago, Macrura said:

I put it as first thing

Thanks @Macrura, sorry to bother, but is that in root htaccess or in site?

Funny thing is that hanna code allows me to save as long as there is no php code in there

[Macrura]

in root; you can also exclude certain rules , ill check some of the other sites

[Macrura]

On one of the sites, the host put this in, so if you figure out the ID of which rule is being triggered, you would add this, in addition to the more general snippet.

<LocationMatch "/">
        SecRuleRemoveById 77218500
</LocationMatch>

If you have access to the Formbuilder forum, there are around 4-5 posts about this similar issue with various examples of htaccess rules, remove by ID etc.