406 Error

[Clarkey3111]

Hey guys,

So I upgraded to RC2 on the day it came out and everything seemed to have gone smoothly until a member of the forums used an emoticon from the drop down menu. Everytime he tried to navigate to the forums he kept getting a "Error 406 - Not Acceptable then An error has occurred. Generally a 406 error is caused because a request has been blocked by Mod Security. If you believe that your request has been blocked by mistake please contact the web site owner." Only way to fix it was to clear his cookies. 

 

I've not seen it anywhere else so I'm assuming it is something I have/haven't done during the upgrade.

 

Any help would be appreciated, thanks. 

[ehren.]

Hi,

What happens when you follow his steps? Do you get the same error? There's nothing else that your member would have done to cause the error?

If you can reproduce it yourself, post it in the bug tracker  

[Adlago]

Send this error your host company. Support will establish the source to activate the Mod Security.

[AndyF]

I'd agree it could be a mod_sec error although usually they "appear" as a combined 404/403 type error. Asking your host would be the best step first as indicated, as they'll be able to examine the appropriate error logs to determine the cause. , If is not something they can actually fix they should then be able to provide you with the appropriate log entries so you can then return here for further assistance with this, although in 99% of cases a host will be able to rectify this as it does appear to be a server config issue going from the information we have.

[Clarkey3111]

Thanks for the replies.

Yeah I am able to recreate the error on my PC, seems to happen when you open the emoticons menu. It adds the following cookie, which when deleted clears up the 406 error.

So I contacted my web host and they came back with:

[Mon Feb 23 20:31:39 2015] [error] [client 90.209.212.53] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec-imh/01_base_rules.conf"] [line "82"] [id "959004"] [msg "Cross-site Scripting (XSS) Attack"] [data "src\\x22:\\x22http:"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "phoenixob.com"] [uri "/"] [unique_id "VOvUe63Nf74AABkaVF8AAAgV"]

 

Anyone have an ideas?

 

[sadams101]

I recently upgraded to 4.x and had the exact same issue...the use of emoticons now triggers Mod Security and 406 blocks users. I've done some research on this, and am hoping you found a solution--if you do could you please post it here? Here is the info I have:

1) The Mod Security warning I get:
[msg "Cross-site Scripting (XSS) Attack"]

2) The specific piece of code that seems to trigger it which is included in the warning:
[data "src\x22:\x22http:"]

3) After opening a ticket with Invision they told me that this specific way of calling the emoticons is probably the actual trigger:
[{"src":"//community.invisionpower.com/uploads/emoticons/tongue.png","text":":tongue:"}]

4) And now for the hard part, here are my XSS Mod Security Rules...can anyone tell me how to modify them so that this won't happen anymore? Obviously taking out the entire rule is what I had to do for now, but what I am really seeking here is just removing the one part of this rule that is causing the block:

# XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" \
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1234123406"
SecAction phase:2,pass,nolog,skipAfter:1234123449,id:1234123405
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'1234123404',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'1234123449',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
 Command access
SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access',id:'1234123399',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"