MyBB Documentation

Mod security

The 1.6 Documentation is no longer maintained and some information may be outdated.

The MyBB 1.6 series reached end of life on October 1, 2015.

This means there will be no more security or maintenance releases for these series and forums running these versions of MyBB may be at risk of unfixed security issues. All administrators are strongly encouraged to upgrade their forums to the latest release of MyBB as soon as possible.

If you're running MyBB 1.6.x, these errors should not happen on your forum, as the links were changed to prevent 403's. If you are still getting 403 errors after upgrading to 1.6, then you have problematic plugins that are using the old style link layout. Contact the plugin author for assistance

Recently, there have been many reports on this forum regarding problems with mod_security, one of the modules loaded into Apache. If you are having problems with 403 Forbidden or other problems that happen once in a while for quite mysterious reasons, read on and see if mod_security is your problem.


Contents

Introductory Details

The apparent error that is generated is normally a page saying:

  • 500 Internal Server Error
  • 403 Forbidden: You don't have permission to access <the file name> on this server.
  • Not Acceptable: An appropriate representation of the requested resource <the file name> could not be found on this server.

In order to confirm that it is indeed mod_security triggering the error, please take a look at the server error log. This can usually be found either in a "logs" folder in your FTP root, or in your hosting control panel, or by requesting it from your web host (we can't help you on our end with this). In the server error log, an error similar to the one below may show up:

[Sat Oct 8 16:33:45 2005] [error] [client 123.456.789.123] mod_security: Access denied with code 403. Pattern match "rcp " at THE_REQUEST. [hostname "www.example.com"] [uri "/forum/admin/templates.php?expand=1&group=usercp"]

Known problematic pages

Here are a list of known symptoms

  • [1.4] - any ACP page
  • [1.2] Admin CP - Version Check
  • [1.2] Admin CP - Templates Manager - Cannot expand the usercp template group
  • Front end - Posting/Editing posts - Message with content similar to harmful commands (example: uname -a)
  • The above errors occur when specific data is being requested from the server (example: all the other template-groups work except for usercp templates, and other messages are able to be posted)

Confirm that mod_security is installed on your server

To confirm that the mod_security module is installed on your server, open your PHP Info page (there is one in your forum's Admin CP). Scroll down and find the heading "Loaded Modules" and see if "mod_security" is in the list.

The Solution - MyBB 1.4.x and newer

The htaccess.txt that comes with the MyBB package disables mod_security by default. If you haven't already, rename the htaccess.txt file to ".htaccess" (without the quotation marks, note the leading dot in the filename).

The relevant code is shown below:

#
# If mod_security is enabled, attempt to disable it.
# - Note, this will work on the majority of hosts but on
#   MediaTemple, it is known to cause random Internal Server
#   errors. For MediaTemple, please remove the block below
#
<IfModule mod_security.c>
	# Turn off mod_security filtering.
	SecFilterEngine Off

	# The below probably isn't needed, but better safe than sorry.
	SecFilterScanPOST Off
</IfModule>


The Solution - MyBB 1.2.x and older

Place this code in a .htaccess file in your MyBB folder on the server.

SecFilterEngine Off

Note, this will disable the security function of the mod_security module for the files inside the MyBB folder. This solution is a tradeoff: security vs usability. Use this solution at your own risk.

If this does not work, then feel free to create a new support thread and we'll try to help you further.

The Solution - Contact your host

If none of the above solutions work and you have confirmed that mod_security is enabled on your server, you can try to ask your webhost to "whitelist" your domain to bypass mod_security.


Original thread: https://community.mybb.com/showthread.php?tid=7592

Edit this page on GitHub