mod_security causing issue?

by **Soulreaver418** » Tue Nov 25, 2008 8:43 pm

I haven't seen this posted anywhere, or at least where I could find with the magical search button.

Anyhow, problem is when I go to install roster, I get to the 2nd step, to write the mysql tables, and it goes to a blank page, error 406.

Now, I know this is nothing to do on my end, it's the server security settings, however I have spoken to my webmaster and he can not allow name=http:// type calls. Anyone know if I can work around this? Other than changing hosts?

I can manually create the sql tables no problem, but I need to know what else is written during that setup so that I might be able to manually do it, or if that is even possible...

the original message I received was:

I can't allow the name=http:// type calls as that is the same type call that the hackers use. You will need to find a work-around.

<off topic> Why is the website soooooooo slow, and lockup-ish?

by **Calystos** » Tue Nov 25, 2008 9:18 pm

Don't know if this'll help you but it worked for me when my server host had security mod issues.

Create or Edit .htaccess and add the following to it (I added to the top but anywhere should be fine I guess).

Code: Select all: # Turn off mod_security filtering. SecFilterEngine Off SecFilterScanPOST Off

Hope that helps, as I said it worked for me. Then I finally got the admin to change the security settings on php, hehe. :-)

EDIT: Dumb me, I left in the # bits by mistake, doh!

by **Soulreaver418** » Tue Nov 25, 2008 10:36 pm

Unfortunately this did nothing, thank you for the suggestion!

by **zanix** » Tue Nov 25, 2008 10:39 pm

We have been fighting mod_security for years and other than the suggestion by Calystos, we have yet to win

Nobody has found the exact cause of this problem

by **Soulreaver418** » Tue Nov 25, 2008 10:56 pm

Sad panda....

Sad panda indeed.

I will continue to work out this problem with my webhost, as I throughly enjoyed using roster a while back and looked forward to doing it again.

I'll post any new info I get here, one thing he did ask was:

What is the purpose of the name=http:// value pair? Is it actually linking to an external site?

by **Calystos** » Wed Nov 26, 2008 2:22 am

Sorry to hear it didn't work, well it was worth a try,

Hopefully one day sooner or later someone will figure out the root cause and we'll have a proper fix.

Til that day, all I can think of are two choices, 1) switch to a different host service or 2) get the existing service admin to allow the security changes on your account. Or at least partly to allow certain parts to work again. Who knows maybe they'll change their minds if you discuss it clearly with them and explain whats needed and what its for and what it will do, etc. No harm in trying, an maybe they'll actually listen,

by **Soulreaver418** » Wed Nov 26, 2008 3:50 am

Yea, I tried to discuss it with him, (him being the developer of RavenNuke, as thats where I host my site) but he didn't want to open that as hackers use the same pair or w/e.

So, looks like I am upcreek without a paddle, unless someone can tell me how to manually install wowroster.

by **Calystos** » Wed Nov 26, 2008 4:27 am

What, he can't open it per-user account?

Sounds to me like he's a bit over-paranoid. I bet theres major problems having this disabled let alone the roster situation. I'm gonna have to look into that I think, hehe. Am curious now.

EDIT: Manual install is possible if you have access to something like phpMyAdmin perhaps, then you can upload the SQL database that way. Though it'll be a bit fiddly as you'd have to manually upload the data/etc too. Then you can simply edit the config file to point to it and away you go.

Not sure if there would be anything more to it than that or if you'd even have any other problems with the security issues.

by **Soulreaver418** » Wed Nov 26, 2008 4:44 am

Ok, so I googled the .htaccess you posted and came across this,

<IfModule mod_security.c>
# Turn off mod_security filtering. SMF is a big boy, it doesn't need its hands held.
SecFilterEngine Off

# The below probably isn't needed, but better safe than sorry.
SecFilterScanPOST Off
</IfModule>

I pasted it into the .htaccess at my server root and the one in the roster root dir and its working now. *shrug*

by **ScratchMonkey** » Wed Nov 26, 2008 9:03 am

That's basically the one posted earlier, but the earlier one had the Apache directives commented out, so it wouldn't have had any effect. (The IfModule tags keep the web server from throwing an error if used on a server that doesn't have mod_security installed.)

by **zanix** » Wed Nov 26, 2008 9:05 am

I would like to know what the name=http:// value pair thing your host asked is about, or where he has seen it

by **zanix** » Wed Nov 26, 2008 9:21 am

Can you do me a favor?

Reinstall Roster
Remove your edits to .htaccess
Remove this section in install.php

Code: Select all: $location = str_replace('http://www.wowroster.net','',ROSTER_UPDATECHECK); $sh = @fsockopen('wowroster.net', 80, $errno, $error, 5); if( !$sh ) { $their_roster_version = 'Connection to wowroster.net failed.'; } else { @fputs($sh, "GET $location HTTP/1.1\r\nHost: wowroster.net\r\nConnection: close\r\n\r\n"); while( !@feof($sh) ) { $content = @fgets($sh, 512); if( preg_match('#<version>(.+)</version>#i', $content, $version) ) { $their_roster_version = $version[1]; break; } } } @fclose($sh);

And try to install again

by **Calystos** » Wed Nov 26, 2008 7:21 pm

ScratchMonkey wrote:That's basically the one posted earlier, but the earlier one had the Apache directives commented out, so it wouldn't have had any effect. (The IfModule tags keep the web server from throwing an error if used on a server that doesn't have mod_security installed.)

Yup, I just noticed I'd left in the # bits on the 2 command lines by mistake. Its cos I just copied/pasted them direct from my .htaccess file since I rem'd them out as I no longer needed them, lol.