Community Documentation

Mysterious 403, 404, 406, 500 or "Page not found" errors depending on submitted content

Last updated April 25, 2008. Created by JohnAlbin on January 17, 2007.
Edited by LeeHunter, Heine. Log in to edit this page.

When submitting certain words in content, you receive a 403, 404, 406, 500 or "Page not found" error message.

This behaviour is most likely caused by the Apache module mod_security. Depending on its filter settings, phrases that trip the module include

lynx, perl, mother, select from, table, cc:, and many more.

Ask your host to tone down the mod_security settings.

Alternatively you can try to add the following to .htaccess:

# Turn off mod_security filtering.
<IfModule mod_security.c>
  SecFilterEngine Off
</IfModule>

This will turn off filtering by mod_security.

Not all hosts will allow this, so you may need to contact your hosting provider.

Login or register to post comments

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

Comments

ModSecurity 2

Posted by kruser on February 12, 2009 at 7:00pm

The syntax for ModSecurity2 is a little different.

# Turn off mod_security filtering.
<IfModule mod_security2.c>
  SecRuleEngine Off
</IfModule>

For me it didn't work in the .htaccess (.htaccess: SecRuleEngine not allowed here). So, I had to turn it off from the modsec2.conf

I ran into something similar

Posted by swolynski on August 19, 2009 at 3:01pm

I ran into something similar while editing a CCK content type field in a newly deployed site on a VPS hosting account. I'd get a 500 Internal Server Error whenever I tried to submit a form to change a text select field with a large set of allowed values. When I checked my logs mod_security rules 300016 and 300013 where getting false positives. Instead of removing mod_security altogether I put in an exclusion rule at the end of the mod_security configuration file. As discussed here... http://drupal.org/node/144582

I used the exclusion rule below so these wouldn't generate false positives when I was editing my content types.

#drupal exclusion rule
<LocationMatch "/admin/content/node-type/*">
  SecRuleRemoveById 300013
  SecRuleRemoveById 300016
</LocationMatch>

Thought it might be helpful.

Multiple .htaccess?

Posted by acbart on September 23, 2009 at 3:01pm

Which .htaccess is this referring to? The one in the top of the Drupal installation folder, or the one in the "sites/default/files/" folder?

I've been trying to deal with an error that is similar to this, where it seems to happen randomly with POSTs, but adding these lines to the .htaccess in the top Drupal folder didn't have any effect. The .htaccess in sites/default/files is write-protected, so I'd like some confirmation before screwing anything up :)

Alternative solution

Posted by wwalc on January 14, 2010 at 8:46pm

Instead of turning off mod_security (ouch) or disabling caching, here's another solution that I think will work.

If mod_security is returning HTTP 406 code, then simply create 406.html file with some error message and add "ErrorDocument 406 /406.html" to .htaccess, to have something like:

# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php
# Special static page for mod_security errors
ErrorDocument 406 /406.html

This way Drupal will not serve pages denied by mod_security, so they'll not be cached as well.

Wiktor Walc
http://ckeditor.com
"Support Open Source Software"

_

Posted by Danny_Joris on January 24, 2010 at 2:33am

Hi,

I have what looks like a similar issue posted here: http://drupal.org/node/684698 . Unfortunately I haven't found a solution yet. I'm receiving 406.shtml errors, I added the first snippet (the others posted here break return errors.) but it didn't fix my problem. My admin pages load twice as fast, though. Which is nice :)

Does anyone have any suggestions?
Cheers,
Danny

--Edit: I contacted my hosting company (hostpapa.ca) and they fixed it for me. They said that they use mod_security version 2 which cannot be controlled trough .htaccess files. It's good to know when the code snippets provided here fail to work.

Can't login - 403 Forbidden

Posted by livingegg on May 18, 2010 at 7:37pm

D6: I was getting a mysterious 403 Forbidden whenever I tried to log in. Fixed the issue by turning off the open ID module.

http://drupal.org/node/797478

406.shtml when attempting to save configuration type settings

Posted by vegantriathlete on May 14, 2010 at 11:40pm

After reconfiguring my directory structure somewhat, I also started receiving Page not found errors. The watchdog file showed the 406.shtml in the message field. I told my web host about the possible connection to mod_security.c or mod_security2.c. Sure enough, after they turned off mod_security everything worked fine. I'm not too thrilled about having mod_security turned off entirely though, and have asked them if they can tune it to not be so aggressive.

I'm not sure what the restructure would have done to cause this error, though. I have asked my host to give me some more information so that I can see if I can track it down in the code.

I have the same thing,

Posted by wcndave on March 16, 2011 at 1:29pm

I have the same thing, however only for non-admin roles, and it seems to be any html at all that is not allowed... really frustrating... i don't know where to make the mod_sec changes, as i don't have root access to this co-location server. is there nothing in drupal one can set?

Similar issue; my hosting company relaxed the mod_security rules

Posted by aenw on July 13, 2011 at 5:25am

I ran into a similar scenario: Suddenly, when I tried to update the footer in Admin> Site Information and when I used HTML formatting in the footer text, I started to receive a 403 error. (Applying HTML formatting is the key to creating the error.) Thanks to the info here and a few other places, I was able to try different solutions -- but with no success.
I contacted my site host (ANHosting) and asked if they could see if it was related to mod_security. (I gave them a user account for my site so they could reproduce the error and test.) They said they "relaxed the mod_security for my site" and now it's working fine for me.
I wish I knew what they did exactly so I could share here, but alas, they didn't give me that info.
Hope this helps someone else.
- aenw

Javascript Bookmarklets Blocked on AN Hosting

Posted by igrok on August 28, 2011 at 8:34pm

I hit a similar issue on my server hosted by AN Hosting - every attempt to submit one of my blog posts redirected to 403 Forbidden.

It appears my issue was in attempting to post bookmarklets as links. I'm assuming mod_security blocks JavaScript in links.

In my case, I was able to make do without putting JavaScript in the links.

Took me a long time to figure out this issue on Midphase servers

Posted by nomad-drupal on May 21, 2012 at 3:04pm

Took me a long time to figure out mod security settings at Midphase caused 403's on
two separate Drupal administration forms;

admin/build/contact/settings
admin/settings/outbrain

On first glance it seemed a .htaccess issue related to running Drupal in a subdirectory
Secondly an issue with the Drupal forms API

NONE of that. The fix was a mod security exception for my sites made by the administrators.

The issue is described in detail in:

http://drupal.org/node/1586130
http://drupal.org/documentation/modules/contact

Reference

Drupal’s online documentation is © 2000-2013 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution-ShareAlike 2.0. PHP code is distributed under the GNU General Public License. Comments on documentation pages are used to improve content and then deleted.