By Swooperz on

Hi. My customers are having trouble posting or editing content of any kind on their Drupal site. After checking into it and then viewing the error logs on the server I found this:

[Tue Mar 7 17:15:51 2006] [error] [client 71.208.234.82] mod_security: Access denied with code 404. Pattern match ".*([Cc][Cc]|[Bb][Cc][Cc]|[Tt][Oo])[[:space:]]*\\\\:.*\\\\@" at ARGS_VALUES("edit[body]") [hostname "activecitiesusa.com"] [uri "/?q=node/57/edit"] [unique_id "RA4GF8wKadwAAC@mBjQ"]

I found one post here about something similar and tried to change the /tmp folder under Settings to /wkg and it fails to see that the folder is there, reporting "permission denied. directory doesn't exist." The directory DOES exist, however, so maybe the code in file.inc just displays that one error for both "doesn't exist" or "already exists" scenarios.

ANYWHO!

What do you guys suggest? I am pulling my hair out on this one! :)

Thanks,
Alan

Categories: Drupal 4.6.x

Comments

heine’s picture

heine commented

Some options:

- Disable mod_security by (usually in httpd.conf)
commenting LoadModule security_module modules/mod_security.so or setting SecFilterEngine to Off in the ruleset

- Disable the offending rule in the ruleset (after <IfModule mod_security.c>), in this section you'll find if mod_security keeps an audit log by examining the line SecAuditLog [filename]. Check the audit log for clues and ask the clients what & where they entered content...

- Disable the POST filter: SecFilterScanPOST Off

(The above is for Apache 2 and assumes you have access to httpd.conf). As you probably know; restart Apache after changing the configuration.

Hope this helps somewhat...
--
Tips for posting to the forums.
When your problem is solved, please post a follow-up to the thread you started.

Swooperz’s picture

Swooperz commented

It's been fixed!

The problem was completely out of my control and hands. It was with my hosting company. In a fight against spam, they tightened their own security on the servers which was denying these changes. I am a reseller of web hosting, so I only have SO much control over these things.

My customers are using another CMS package as well, and the same thing was happening there, but just recently.

It seems to be that the php mail function is called on certain changes? I'm not exactly sure, but they are getting denied by the stricter security (mod?) on my servers. I only discovered this after looking at my Error Logs for the server, and not the main server log or Drupal WatchDog logs.

So, my advice for anyone running into this problem and not being able to fix it based on Heine's suggestions above, is to check with your provider to see if they can look into their security settings on your server.

Thanks for the replies,
Alan

3rdvalve’s picture

3rdvalve commented

I ran into a similar problem where php content would result in an Access denied error.

If you can't edit your server's httpd.conf file I found you can disable mod_security for your site by entering the following line into your .htaccess file within your public root directory:

SecFilterEngine Off

John
BabyFace Software, Inc.
http://www.babyfaceinc.com/