406 Error: get used instead of post for Dynamic Objects?
Autor: Dieter D.
Visitado 1700,
Seguidores 1,
Compartilhado 0
Hi!
All my pages using Dynamic Objects (no matter if using txt or DB) produce "406 Errors". My hoster told me that the firewall suspects possible "man in the middle" attacks as the form submitting the data seems to use GET instead of the much safer POST.
I have to disable the firewall. :-(
Is that the case???
If this is the case, will the Dynamic Objects be changed to POST in the near future to use this highter security standard??
Thanks,
Dieter
Publicado em
Autor
The code in the php page out of X5 contains POST.
I have the hoster look into the firewall logs to find out what is the problem...
Autor
The provider told me that problem is that it triggers firewall rules "t:jsdecode,t:cssdecode".
Looks like the data of the Dynamic Object form is not well enough escaped osr something like that and triggers false positives for XSS firewall rules.
Hello. I sent a notification about your question to the company employees, expect an answer from them here in the comments.
Hello.
In order to give us a better idea of your problem, could you give us some screenshots of the error it shows and the object as it is configured?
The 406 error has some causes to appear ...
For example: the request made by the user from his browser is incomplete, or confusing.
I explain. It happened to me on one occasion in which I mistakenly activated two languages, English and Spanish, and with so much change that I made on the page, pages were configured in html and php that remained on the server, at the time of requesting "something" to the server (one page) the server "did not know" if it was in spanish or english or html or php. that is, the request was incomplete. and the server did not know what to do. haha.
The logical thing is that it responds with a 404 page not found error, but, I assume that the pages were there but, I did not know which to display and in which language ...
In other words, I think your project needs a debugger. or...
If it is due to a form in the data submission, the server does not know how to save them in the database or they do not have some mime format and therefore generates the error.
That leaves us with a few potential causes:
The server did not provide the requested MIME type or the proper formats, such as a JPEG or mp4 video.
The server did not return with the correct language (Accept-language). For example, it may have returned a response in German when the browser asked for French.
The server used an incorrect compression method or format in response to the Accept-encoding request.
The server returned too many bytes that did not match the Accept-ranges request.
The server was unable to provide understandable characters, which would cause a problem with the Accept-charset request from the browser.
Is it your first project or has it happened to you with the recent update?
Have you already tried deleting all the files and uploading it again?
Waiting for more data and captures of your problem to be able to help you, :)
Autor
Hi Miguel!
Thanks for your extensive answer!
I am an IT professional with quite a long experience. X5 is used by me for some smaller "quick" projects.
Let me give you the "technical" background of the issue.
Working with the provider I found out that we have an issue with the firewall rules "t:jsdecode,t:cssdecode".
This hoster easyname.com (I work with several hosters for different projects) is actually a very, very good one. They are very active in keeping to the latest standards.
They increased the Application Firewall Security (I guess other providers will do that soon too) to the latest standards and so the X5 DynObj triggers a rule as soon an you try to enter more than plain text. Already marking a word as bold text (tag <b></b>) fires the firewall false positive rule.
I made a small test page with just one DynObj: https://testdyn.infocity.at
As soon as I enter already a word in bold I get the 406.
The error.log gives me:
[Thu Oct 21 07:04:29.279349 2021] [:error] [pid 139838:tid 140681653778176] [client xxx.xxx.xxx.xxx:0] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ((?:submit(?:\\\\+| )?(request)?(?:\\\\+| )?>+|<<(?:\\\\+| )remove|(?:sign ?in|log ?(?:in|out)|next|modifier|envoyer|add|continue|weiter|account|results|select)(?:\\\\+| )?>+)$|^< ?\\\\??(?: |\\\\+)?xml|^<samlp|^>> ?$)" against "ARGS:donotuse" required. [file "/etc/modsecurity/conf.d/10_asl_rules.conf"] [line "1105"] [id "350147"] [rev "161"] [msg "Atomicorp.com WAF Rules: Potentially Untrusted Web Content Detected"] [severity "CRITICAL"] [hostname "testdyn.infocity.at"] [uri "/index.php"] [unique_id "YXEQ_aTBSr0nb3ps9e81NAAAAGA"], referer: https://testdyn.infocity.at/
So it is clear that the form content is not accepted.
The details are:
Request URL: https://testdyn.infocity.at/index.php
Request Method: POST
Status Code: 406
Remote Address: 77.244.243.53:443
Referrer Policy: strict-origin-when-cross-origin
accept-ranges: bytes
age: 0
content-encoding: gzip
content-type: text/html
date: Thu, 21 Oct 2021 07:04:29 GMT
etag: W/"14f4-5c0543526be95"
last-modified: Mon, 19 Apr 2021 14:33:05 GMT
permissions-policy: interest-cohort=()
server: Apache
vary: Accept-Encoding
Provisional headers are shown. Disable cache to see full headers.
Learn more
Content-Type: application/x-www-form-urlencoded
Origin: https://testdyn.infocity.at
Referer: https://testdyn.infocity.at/
sec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
donotuse: <p>Testcontent for Dynamic <b>Object</b></p>
DefaultText: <p>Testcontent for Dynamic <b>Object</b></p>
ObjectType: ObjectDynamicText
ObjectId: 1
PageId: 0
This shows basically that "<p>Testcontent for Dynamic <b>Object</b></p>" is no good as long as its special HTML chars are not escaped.
--> The Dynamic Obcjects in X5 are not escaping special chars what is seen as unsafe
My only option at the moment is to disable the application firewall what is not my prefered solution. I sure hope X5 soon adds proper string escape to the DynObj form.
Thanks a lot,
Greetings from Vienna,
Dieter
Hello Dieter
The Dynamic Object handles most HTML code by copying somewhere and then pasting it again into the required spot.
As of now, I believe this is the first time we've received a report regarding a firewall block so I will be sure to notify the developers of this
However, I can't guarantee that any change will be performed to this in a short period of time since, like mentioned before, it seems to work correctly for most users as of now as well without ever encountering anything like it
I will inform the developers as I mentioned before so that the situation can be kept under check, but I advise disabling this firewall directive for the moment if possible
Thank you for your feedback
Stefano
Autor
Thanks, Stefano!
Yes, my hopes are low as I haven't seen a lot of bugs/wishes from users in the past been taken into consideration fast.
Please inform the developers as not escaping the form data properly is no good coding practise. In the future there will be more reports about these blocked, I'm sure as providers do well to protect their customers websites against attacks (and the unescaped data submitted with the DynObj looks like it could be injections).
Best,
Dieter