Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-30060

mod_security 403 error in hub/client registration process.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • 2.0.5, 2.1.2, 2.1.5
    • Hub
    • mod_security in Apache version 1 or mod_security2 in Apache version 2
    • MOODLE_20_STABLE, MOODLE_21_STABLE
    • Hide

      I have attempted to write something that will fix the mod_security problem & have a Hack that works. Basically, I just split the $huburl and $url variables (as appropriate) into two parts (one for the protocol & one for the domain/directory) in all of the redirects that include them. Then in all of the called pages I test to see if a whole URL has been sent and if not I recombine the two parts for processing. Splitting the URL's prevents triggering of mod_security and allows me to complete registration from a client with mod_security to a hub with mod_security. Of course I still can't register to any other hub because the call to confirmregistration.php triggers mod_security. In the changed hub siteregistration.php file the script identifies if the client has split the URL and replies in kind. Thus if this were on a server with a mod_security disabled (or just an exception in place) it could accept registration from client sites using both the current and modified client scripts attached.

      I apologize if the attached scripts are inelegant. The most elegant solution would be to extend or modify moodles required_param() & optional_param() to test if the passed URL is complete or in two parts then recombine them as required. And for moodle redirect() to test for the passing of a non-local URL in the parameters and if so split it into two parameters. Of course this is only a problem when mod_security is active and non-local URL is passed as a variable so I'm not sure if such a low level change is warranted.

      Regards
      Michael

      Show
      I have attempted to write something that will fix the mod_security problem & have a Hack that works. Basically, I just split the $huburl and $url variables (as appropriate) into two parts (one for the protocol & one for the domain/directory) in all of the redirects that include them. Then in all of the called pages I test to see if a whole URL has been sent and if not I recombine the two parts for processing. Splitting the URL's prevents triggering of mod_security and allows me to complete registration from a client with mod_security to a hub with mod_security. Of course I still can't register to any other hub because the call to confirmregistration.php triggers mod_security. In the changed hub siteregistration.php file the script identifies if the client has split the URL and replies in kind. Thus if this were on a server with a mod_security disabled (or just an exception in place) it could accept registration from client sites using both the current and modified client scripts attached. I apologize if the attached scripts are inelegant. The most elegant solution would be to extend or modify moodles required_param() & optional_param() to test if the passed URL is complete or in two parts then recombine them as required. And for moodle redirect() to test for the passing of a non-local URL in the parameters and if so split it into two parameters. Of course this is only a problem when mod_security is active and non-local URL is passed as a variable so I'm not sure if such a low level change is warranted. Regards Michael
    • Hide

      Attempt to register a client on a hub with mod_security in Apache version 1 or mod_security2 in Apache version 2 active on either the hub or client.

      Show
      Attempt to register a client on a hub with mod_security in Apache version 1 or mod_security2 in Apache version 2 active on either the hub or client.

      mod_security in Apache version 1 and mod_security2 in Apache version 2 will return a 403 forbidden error when a URL that is not the local domain is passed as a get variable. mod_security on either the hub or client servers will block the completion of the client/hub registration process, even to MOOCH, as within the registration process URL's are passed as get variables a number of times. An exception can be added to mod_security in Apache version 1 via a local .htacess file. However, this ability was removed in mod_security2. In mod_security2 the exception must be added to mod_security.conf of /conf.d. Related forum discussion: http://moodle.org/mod/forum/discuss.php?d=188933

      While I'm not sure how prevalent the use of mod_security is, the 403 error may dissuade a number of administrators from registering with MOOCH. Further, the solution of disableing mod_security may potentially open them to other attacks. A better solution might be a scripting one.

        1. siteregistration.php
          19 kB
        2. renewregistration.php
          3 kB
        3. register.php
          8 kB
        4. hubselector.php
          3 kB
        5. confirmregistration.php
          4 kB

            Unassigned Unassigned
            michael.1 Michael McAuley
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.