Hello everyone,

Using this module on my last two projects I found that I cannot delete any email from any list I've created, the site can take me to the confirmation form but when I hit "delete emails from list" it just simply throws a 403 Forbidden error.

Any advice on this? Thanks for your help!

Comments

justindodge’s picture

I found that I had this issue on a production site but not on a development site. After digging a little deeper it seems that mod_security was being triggered by the post data in the request to delete email addresses. I guess the values 'mail', 'delete', and the id '1' look like a sql injection attack.

My solution was to add an exception in our modsec2.user.conf file:


SecRuleRemoveById 340016

I found this is the apache error log, you'll see the rule ID mentioned in there as well:

ModSecurity: Access denied with code 403 (phase 2). Match of "rx (?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/imp/compose|/posting)\\\\.php|/modules\\\\.php\\\\?op=modload&name=(?:Downloads|Submit_News)|/admin\\\\.php\\\\?module=ns\\\\-addStory\\\\&op=|/index\\\\.php\\\\?name=pnphpbb2&file=posting&mode=reply. ..." against "REQUEST_URI" required. 
[file "/usr/local/apache/conf/modsec/10_asl_rules.conf"] 
[line "299"] [id "340016"] 
[rev "18"] 
[msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL injection protection"] 
[data "delete emails from l"] 
[severity "CRITICAL"] 
[hostname "www.removed.com"] 
[uri "/admin/structure/mailing-list/1"] 
[unique_id "xyvnvUPjraEAAD41s94AAAAc"]
manuel.adan’s picture

Issue summary: View changes
Status: Active » Closed (works as designed)

Cannot reproduce, assuming #1 was the problem.