Page Module Forbidden Errors

[FriedGeek]

I've been using FT off and on for nearly 6 years and it's been awhile since I've installed the application. It truly is a remarkable program. 2.2 is new to me and it has everything I need for a current project I'm working on. The only thing that's making me pull my hair out right now is forbidden errors I keep getting within the Pages module. Everything else in FT works like a charm. I'm usually saavy to figure things out but I'm stumped on this problem. I went through the usual process of elimination and I performed various tests.

Here's a sample error I get when trying to submit content for a new page:

"Forbidden
You don't have permission to access /ft/modules/pages/edit.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."

Using IE 9.0, I got the forbidden error when trying to submit a large block of HTML code via the Pages creation form page. I reduced the code to half and got the same error. I tried just a simple paragraph submission and it submitted just fine. The only extra html code I added which wasn't native to TinyMCE was code for tables and divs.

I had added the content directly to MySql through PHPMyAdmin and it displayed fine in FT. But when I tried to add the page to the Client Menu, I got another forbidden error.

My server's PHP version is 5.2.14
Apache: 2.2.16
MySQL: 5.0.92-community
OS: Linux
PHP.INI Posting is set to 8M (The page code I tried submitting was less than 70KB)

There are no .htaccess files anywhere within the FT folders and subs.

I had uninstalled the pages module, downloaded the same (current) version from the modules area on the FT website, then uploaded and overwrote the existing files, reinstalled through the FT modules display page, tested a page submission and still got the same thing.

I ran a system check and everything passed. I doublechecked the theme cache permissions and the folders are set at 777. I experimented with the permissions on the Pages folder and various files within it to see if it would make any difference, but still got the errors.

I tried to access using FF 8.0.1 and I got a forbidden error just by clicking on the Modules > Pages link. When I retried using IE, I got the same thing. I closed the browser and emptied the cache and still had the same problem. I emptied the FT default theme cache and still the same. I can access all of the other modules without any problems. As mentioned, everything else works just fine and I can create and edit forms -internal and external- without a single problem.

Any suggestions would be appreciated. Thank you very much.

[FriedGeek]

I've been trying to find a solution with no luck so far. Here's what shows up in the error logs:

[Mon Jan 30 19:24:35 2012] [error] [client x.x.x.x] File does not exist: /home/xxxx/public_html/403.shtml, referer: http://www.xxxxx.com/ft/modules/pages/add.php
[Mon Jan 30 19:19:17 2012] [error] [client x.x.x.x] File does not exist: /home/xxxx/public_html/403.shtml, referer: http://www.xxxxx.com/ft/admin/settings/i...&menu_id=2

(These files do exist)

I fixed the problem so clicking on the Modules > Pages link no longer throws a forbidden error. That had something to do with my experimenting and changing file/folder permissions.

Formerly, there was another error associated with these ones:
ft/modules/pages/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

I fixed this through CPanel by cleaning up old Frontpage extensions so this error doesn't come up anymore.

Now I'm left with the forbidden error when adding or editing a page only if the html code & text submitted is a lot.

Adding the page to the Client Menu throws a forbidden error regardless if there's any content on the newly created page or not.

[FriedGeek]

Still no luck... I logged into my server's WHM and checked its Mod Security application. Here's another tidbit of info pertaining to the errors that might help you determine the root of this problem:

Access denied with code 403 (phase 2). Pattern match "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:wysiwyg_content. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]

I could edit the Mod Security config file which might help allow this problem pass through, but I'm wondering if it may create a security hole in the server. This is the line it's referring to in the modsec2... configuration file:

# Check decodings
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

Suggestions?

[FriedGeek]

I went ahead and #commented the "#Check Decodings" command line within the modsec2... configuration file, tested the FT Pages module, and it works now. Both problems have been solved but my guess is that this will leave a security hole in the server. It's not a big problem to me since I'm the only one who accesses and manages my server but it may be to anyone who shares hosting or who manages a dedicated server and allows their clients to install their own web applications.

This might be something to look into if there's some insecure code within the Pages module that's causing this. But for anyone else who manages their own dedicated server and runs into this problem, this is an immediate solution to fix the problem.