Precondition Failed

 
Post new topic   Reply to topic    34SP.com Forum Index // Help
View previous topic :: View next topic  
Author Message
elliowb
34SP Newbie
34SP Newbie


Joined: 09 Jul 2010
Posts: 1

PostPosted: Fri Jul 09, 2010 3:16 am    Post subject: Precondition Failed Reply with quote
Hi,

I'm getting a number of Precondition Failed errors when users on my PhpBB attempt to PM each other. An example of the error is as follows:

Precondition Failed

The precondition on the request for the URL /Forums/ucp.php evaluated to false.
Apache/2.0.63 (FreeBSD) DAV/2 mod_fastcgi/2.4.2 mod_python/3.3.1 Python/2.5.1 PHP/5.2.6 with Suhosin-Patch mod_ssl/2.0.63 OpenSSL/0.9.7e-p1 mod_perl/2.0.3 Perl/v5.8.8 Server at http://www.mzjf.info Port 80

I'm also getting a number of Precondition Failed errors when some users attempt to post. Any suggestions about how I can resolve this recurrent problem?

Thanks for the help.

-- Bill
Back to top
View user's profile Send private message
DrLex
34SP Newbie
34SP Newbie


Joined: 18 Jul 2005
Posts: 29
Location: Belgium

PostPosted: Fri Jul 09, 2010 7:52 pm    Post subject: Reply with quote
I also just got notified of this by someone who tried to mail me through a form on my website. After some testing, it appears that a phrase "Please update your page with this info, to save others from …" in a simple textarea triggers the following overzealous regular expression that seems to be used to prevent SQL injection attacks:
Code:
mod_security: Access denied with code 412. Pattern match "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\\\\*| |\\\\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\\\\*| |\\\\,]|UNION SELECT.*\\\\'.*\\\\'.*,[0-9].*INTO.*FROM)" at POST_PAYLOAD [id "300013"][rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"]

That test is way too coarse and is bound to trigger on many other plain English sentences. And I'm not even using an SQL database on my website!

The solution is to disable the offending mod_security test with a htaccess directive, as described in other posts. If the error occurs on a script in your cgi-bin directory, make sure to put the .htaccess file in your cgi-bin directory. In my case I had to add:
Code:
<Files myFormScript.pl>
<IfModule mod_security.c>
SecFilterRemove 300013
</IfModule>
</Files>
Back to top
View user's profile Send private message Visit poster's website
imknight
Administrator
Administrator


Joined: 16 Mar 2001
Posts: 3627
Location: Stroud,Gloucestershire

PostPosted: Sun Jul 11, 2010 1:28 pm    Post subject: Reply with quote
If you are on a personal account, you can use the code in .htaccesss mentioned in the post before, however allowing this type of exclusion has in itself been abused in the past as hackers simply turn off mod_security before trying to run their exploits.

As such the professional range of products (and newer reseller servers) do not allow this to be disabled from .htaccess.

Please if you have issues with mod_security - which as above you can confirm from your error_log (in statistics/logs from the ftp) - drop us an email with the rule triggered and also the IP address that caused the issue - you can confirm this is the correct IP address by visiting http://whatismyip.com.

Please "do not" just email us everytime you see a rule in the error_log as this could very well be mod_security doing its job and actually protecting your site from exploits, so always confirm the IP of the entry in the error_log does indeed match that of the user in question when an issue applies - mod security is there to protect your site but does from time to time have false positives.
_________________
Ian
34SP.com
Easy script installers for a small number of popular scripts are now available at http://scripts.34sp.com
Used our script installers? Please post your site here

| Wordpress Hosting |
Back to top
View user's profile Send private message Send e-mail Visit poster's website ICQ Number
Post new topic   Reply to topic    34SP.com Forum Index // Help All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Powered by phpBB © 2001, 2002 phpBB Group