Search code examples
javascriptphpmod-security

Mod Security error caused by encoding issue?

I am getting the following error on a site I occasionally manage, and it has only appeared recently, AFAIK. Things were working fine, but since it is a side project, I haven't monitored it in over a year, and don't know exactly when it appeared. It is most likely due to some security changes in the browser or server software. Anyway, here is what the error says:

<head><title>Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</p></body></html>

The code that is calling this is something like this (shortened for clarity):

    $.ajax({
    url: "lus.php",
    data: { "SU": SU, // This is any alphanumeric string without spaces or special characters
            "LU": $("#LongURI").val() // This a URI e.g. https://example.com/abc.html
    },
    success: function(data) {
        alert(data);
    },
    error: function(jqXHR, exception) {
        var msg = '';
        if (jqXHR.status === 0) {
            msg = 'Not connected. Verify Network.';
        } else if (jqXHR.status == 404) {
            msg = 'Requested page not found. [404]';
        } else if (jqXHR.status == 500) {
            msg = 'Internal Server Error [500].';
        } else if (exception === 'parsererror') {
            msg = 'Requested JSON parse failed.';
        } else if (exception === 'timeout') {
            msg = 'Time out error.';
        } else if (exception === 'abort') {
            msg = 'Ajax request aborted.';
        } else {
            msg = 'Uncaught Error.\n' + jqXHR.responseText;
        }
        alert('There was an error! ' + msg);
    },

    type: 'GET'
});

If I remove the "://" in the LU variable it works! That means I need to encode it, right, but that did not work (see below). I could strip the "https://" or "http://" and then add it back but that begs the question as to how I would pass "https://" or "http://" (it could be either) to the lus.php file.

Here's what I have tried so far:

  1. Added the following lines to .htaccess
<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

based on this answer. Didn't work.

  1. Removed all the code from lus.php (in steps) to ensure there is no problem with the php code. No change.

  2. Encoded this line

             "LU": $("#LongURI").val()

to this:

            "LU": encodeURI($("#LongURI").val())

and also tried with and without the following change in the php code.

if(isset($_GET['LU']))
    $LU = trim(urldecode(($_GET['LU'])));

No dice.

  1. Changed GET to POST (getting desperate here). This gave me an Internal Server Error (500) instead of the error message above. However, there is no further information because in developer tools, the Response is empty.

EDIT: 5. I have several rewrite conditions in my .htaccess file. So I renamed that file and tried the same operation. Same result/same error.

Any ideas on how to fix this?

Solution

  • It turns out that my hosting provider had blocked the page being called (lus.php). It took a lot of probing and two chat sessions. In case someone is having this problem and can quickly rule out the basics, check with your hosting provider or UFW rules if it is your own server.