403 Forbidden error when adding bug note or any other notes/text

Get help from other users here.

Moderators: Developer, Contributor

Post Reply
yesyes
Posts: 4
Joined: 09 Apr 2018, 13:17

403 Forbidden error when adding bug note or any other notes/text

Post by yesyes »

I'd pull my hair out over this, if I had any hair left. I'm hoping to get some help on this on here...

I have a dedicated VMware server with Centos Web Panel running on one of the VMs. On a subdomain I have installed Mantis 1.3.1. All was working fine for a year and a half. Then I migrated everything to a newer and faster VMware server. I have cloned the VMs over to the new server and also kept the same IP addresses for each VM. So much for a bit of history.

Now, when I want to add a bug note, add or update version info in a project, or basically enter any text in one of the text boxes, most of the time I get a 403 Forbidden error like these:

Code: Select all

Forbidden
You don't have permission to access /manage_proj_ver_update.php on this server.

Forbidden
You don't have permission to access /bugnote_add.php on this server.
With a bit of experimentation I found that it seems it doesn't like certain characters or combination of characters. If I just enter a bit of normal text like "blah blah blah" it works fine and the note is added. It does give me the 403 error when the text includes "0x" or double quotes, for example. I haven't quite figured out all of the combinations that cause the error.

The fact that it works with text like "blah blah blah" would suggest that this is not an issue with permissions to the php files or other files, but something that Mantis itself seems to be blocking.

I found one very old post on a forum describing a similar issue but that never got resolved (or the resolution wasn't posted). It suggested it might be caused by the plugin "MantisBT Formatting 1.3.0". I went into the configuration of that plugin and disabled all 3 options, but the result is still the same.

Does anyone have any idea what might be causing this? Or where to look for further clues? I'm not really familiar with Mantis or Apache log files, but I'm more than willing to learn...
yesyes
Posts: 4
Joined: 09 Apr 2018, 13:17

Re: 403 Forbidden error when adding bug note or any other notes/text

Post by yesyes »

Nobody has any idea what might be causing this? Not even where I could start looking (logs)?
Starbuck
Posts: 219
Joined: 14 Feb 2006, 02:53
Location: USA
Contact:

Re: 403 Forbidden error when adding bug note or any other notes/text

Post by Starbuck »

You've done a good job to diagnose that this only occurs with specific content. So yes, the next thing to do is to diagnose where it's happening.

The error might occur when email is going out with the specific text.

Get the logs going:

Code: Select all

$g_log_level = LOG_ALL;
$g_log_destination = 'file:/path/to/writable/folder/mantis.log';
Only keep that enabled for testing. The logs are fairly easy to read.

Since the 403 Forbidden error is coming from the web server, yes, check your webserver log (info widely available) to see what the exact URL is that is causing it to choke.
The server understood the request, but is refusing to fulfill it. .... The Apache web server returns 403 Forbidden in response to requests for URL paths that correspond to file system directories when directory listings have been disabled in the server and there is no Directory Index directive to specify an existing file to be returned to the browser. -- Wikipedia
I'm thinking Mantis could be trying to route to a specific URL based on the content, like the root directory of your installation, and you don't have Apache configured with the index page as the default. For this, you need a setting in Apache or a .htaccess file.

Any help?
If you want Mantis to work differently, use or create a plugin. Visit the Plugins forums.
Ask developers to create a plugin that you need - and motivate them to help you!
yesyes
Posts: 4
Joined: 09 Apr 2018, 13:17

Re: 403 Forbidden error when adding bug note or any other notes/text

Post by yesyes »

Thanks for that! That gives me something to go on.
I see nothing suspicious in the Mantis log. However, in the Apache log I found an entry that looks like the cause of the issue. Apache seems to think it's an SQL injection attack:
(IP and host name masked out)

[Sat Apr 14 14:35:16.296374 2018] [:error] [pid 19629:tid 140433977960192] [client 212.159.***.***:58963] [client 212.159.***.***] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 3 at TX:sqli_select_statement_count. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "108"] [id "981317"] [rev "2"] [msg "SQL SELECT Statement Anomaly Detection Alert"] [data "Matched Data: Upgrade-Insecure-Requests found within TX:sqli_select_statement_count: 3"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "tickets.******.info"] [uri "/manage_proj_ver_update.php"] [unique_id "WtIDlLPmD-wQFc33FIAXKwAAAFU"], referer: http://tickets.******.info/manage_proj_ver_edit_page.php?version_id=12

So it looks like it doesn't like something in the SQL command that would save the text to the database.
I'm still not sure what I can do about that and why it worked on the old server.
atrol
Site Admin
Posts: 8366
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: 403 Forbidden error when adding bug note or any other notes/text

Post by atrol »

Was Apache ModSecurity also installed/enabled on the old server?

Do you get any errors or warning concerning PHP when running admin/check/index.php ?

As a side note, running Mantis 1.3.1 can't be recommend as there are a lot of known bugs (also security related) in it.
You should at least upgrade to latest 1.3.x which is 1.3.14 at the moment.
Please use Search before posting and read the Manual
yesyes
Posts: 4
Joined: 09 Apr 2018, 13:17

Re: 403 Forbidden error when adding bug note or any other notes/text

Post by yesyes »

Thanks for your help.

I have now "fixed" it by changing " SecRuleEngine On" to "SecRuleEngine Off" in the file /usr/local/apache/conf.d/mod_security.conf

It's probably not the best idea but it works for now...

And thanks for the tip about upgrading.
Post Reply