CiviCRM Community Forums (archive)

Hey Folks,

I have (what was until very recently) a fully functioning installation of CiviCRM (Version 3.1, Drupal 6.15)

Now when I use the Advanced Search feature, select "Export Contacts", select the fields for export, then click Continue, I'm met with a big nasty "Error 403: Forbidden" error.

This is what my error log spits out:

[Sat Oct 09 23:29:12 2010] [error] [client **IP ADDRESS**] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(< ?(?:script|about|applet|activex|chrome).*(?:script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|" ?> ?<|" ?[a-z]+ ?<.*>|> ?"? ?(>|<)|< ?/?i?frame|\\%env)" at ARGS:_qf_Select_next. [file "/hsphere/shared/apache2/conf/modsecurity.d/10_asl_rules.conf"] [line "690"] [id "340147"] [rev "56"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Generic XSS filter"] [data ".php?"] [severity "CRITICAL"] [hostname "**HOSTNAME**"] [uri "/extranet/index.php"] [unique_id "TLFBGEj5ScMAAHWlFhAAAAAA"]

So, I contacted my hosting company (shared hosting, unfortunately), who claimed they "posted a mod security exclude in order to fix this issue", which didn't fix the issue. This was what they also suggested:

"It appears that rule might be hit because the argument "_qf_Select_next" is empty. Filling it with some data may help this..." OK, well, I have no idea what they're talking about. I searched Google and this forum but found no similar issues or possible solutions.

Has anyone else experienced similar issues with modsecurity? Any suggestions for a possible solution?

Thanks in advance!

Your hosting company is probably giving you a spurious reply. That rule in mod_security looks like a test for cross site scripting exploits. It's possible that there are such exploits in CiviCRM (even, probable), but the error message doesn't provide enough info to track it down. I can't find the string "qf_Select_next" in the civicrm code base or by googling.

In general - I don't think you want them running mod_security on your CiviCRM code, but they're probably a big hosting company desperately trying to reduce the amount of security holes in all the other software that's running on their system. If they are going to run it, they should be providing better information ...

I have the same problem when trying to create a contribution page.

Here is the error after the first page of the process is filled out and submitted:


Tue Sep 04 14:04:32 2012] [error] [client 206.174.101.235] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\\" ?> ?<|\\" ?[a-z]+ ?<.*>|> ?\\"? ?(>|<)|< ?/?i?frame|\\\\%env)" at ARGS:_qf_Settings_next. [file "/usr/local/apache/conf/modsec2_rules/10_asl_rules.conf"] [line "903"] [id "340147"] [rev "81"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Generic XSS filter"] [data "666"] [severity "CRITICAL"] [hostname "test.nscfundalaska.org"] [uri "/civicrm/admin/contribute/add"] [unique_id "UEZe0NHsR0IAAFqpRh4AAAAp"]


AN hosting says they are willing to grant an exception on a case by case basis, but not for the whole code base.

I've seen odd Page Not Found errors in various places of the admin UI, so I am going to have to just bump into them one at a time and get an exception.  Am under a tight deadline to deploy.

Would love it if there was a point-source to this issue we could fix.

Thanks for that.  Will try it.

I just finished a debug session with AN Hosting and they had to allow Mod_security to allow the following three error codes in order for the Create Contribution Page sequence to work:

340147
390709
340148

So hopefully that is a clue for those who follow.

found the same error with contact import.