Forbidden error 403 with Mod_Security

Topics: ASP.NET 2.0, Business Logic Layer, Controls, Themes
Sep 16, 2015 at 3:00 AM
Edited Sep 16, 2015 at 3:03 AM
Hi,

I am using blogengine since 2 year and it was working fine but all of a sudden my hosting company implemented Mod_Security on their server and now I am getting an error as FORBIDDEN 403

For Reference :
http://abhisharma.co.in/

I have contacted so many times with hosting team but always they replied that its a problem on your side. Please find the replies as below :

Response 1 :

The issue you are facing is because the mod security rule added on the server is blocking the website. We could see the below error in logs :-

request missing a user agent header

I would recommend you to script your application by adding a valid user agent and header and let us know if you still face any issue.




Response 2:

The rule that is currently blocking the website is due to a missing user agent header in the HTTP request header. This is purely based on coding and I request you to check this with your developer. You may refer to the logs below for your reference:



http://support-tools.com/?6fd92b83cc036e6d#9Zl+X0EKxCK9n1tVXyP1QpswGqVprLW7kTb5PPx4Ui4=

Kindly add specific User Agent headers for the HTTP request so that the issue will be resolved. Unfortunately, we cannot un-block the rule on the server for your subscription.

Thanks
Coordinator
Sep 17, 2015 at 3:00 PM
That doesn't make any sense. User agent sent by your browser when you request resources on the server. When I type your site address in Chrome or IE, they send user agent header along with request. It does make sense to block me if I write script that requests your page and lazy to specify user agent, but no idea what would need to be done on application side and why. Goggling mod_security does not help either, probably something pretty obscure. They need to explain what they want and provide examples what need to be done.
Sep 17, 2015 at 11:12 PM
Hi abhicse24,

Sounds to me its time to jump ship and go with another web hosting company.

Give us a try at http://BloggersOnline.com

We offer the best support for BlogEngine.Net, I am the owner and BE expert :)

Also we have the lowest price for web hosting in the world for Windows 2012 Asp.Net 4.5 Web Hosting.

Starting at $0.99 per month, no contact or 1 year pre-paid required.

We offer 30 day no questions ask money back refund.

Many members here use our hosting ask around if you like :)


https://order.bloggersonline.com/cart.php


Have a great day!

Brian Davis
Owner
http://BloggersOnline.Com
Sep 18, 2015 at 5:07 AM
Edited Sep 18, 2015 at 5:08 AM
Hi,

Based on this line on the stack trace: BlogEngine.Core.Web.Scripting.WebResourceFilter.RetrieveRemoteFile(String file) +135

the error is being, probably, caused by minification routine that is trying to compress WebResource.axd. For this, BE has implemented a Stream filter that parses the output that is being sent to the client and modifies the output by replacing a minified version of WebResouource.axd. Here is the link to the source code of the file:
 http://blogengine.codeplex.com/SourceControl/latest#BlogEngine/BlogEngine.Core/Web/Scripting/WebResourceFilter.cs
In order to minify WebResource.axd, BE stream filter extracts the URL of the dynamically generated WebResource.axd and makes a request to the server using RemoteFile.cs (http://blogengine.codeplex.com/SourceControl/latest#BlogEngine/BlogEngine.Core/RemoteFile.cs). Once the file is downloaded, it minifies it and stores it in the memory cache and then replaces the default WebResource.axd <script/> tag with a custom <script/> with a hashed URL.

Now this brings me to the main cause of your error: private WebRequest GetWebRequest in http://blogengine.codeplex.com/SourceControl/latest#BlogEngine/BlogEngine.Core/RemoteFile.cs.
    /// <summary>
    /// Creates the WebRequest object used internally for this RemoteFile instance.
    /// </summary>
    /// <returns>
    /// 
    /// The WebRequest should not be passed outside of this instance, as it will allow tampering. Anyone
    /// that needs more fine control over the downloading process should probably be using the WebRequest
    /// class on its own.
    /// 
    /// </returns>
    private WebRequest GetWebRequest()
    {
        this.CheckCanDownload();

        if (this._webRequest == null)
        {
            var request = (HttpWebRequest)WebRequest.Create(this.Uri);
            request.Headers["Accept-Encoding"] = "gzip";
            request.Headers["Accept-Language"] = "en-us";
            request.Credentials = CredentialCache.DefaultNetworkCredentials;
            request.AutomaticDecompression = DecompressionMethods.GZip;

            if (this.TimeoutLength > 0)
            {
                request.Timeout = this.TimeoutLength;
            }
            this._webRequest = request;
        }

        return this._webRequest;

    }

This function creates a WebRequest object and adds necessary headers to the request. Unfortunately User-Agent isn't one of them which causes your mod_security to reject the request and hence, the error.

Solution:
While BE team releases an update, you could try downloading the source code, add a header to emulate any browser and then run it on your server.

Hope this helps,

Mayank
Sep 18, 2015 at 5:46 AM
Hi Mayank,

Thanks for the help ,

I have resolved the issue by downloading the Blogengine code and making appropriate changes as below :

/// <summary>
    /// Creates the WebRequest object used internally for this RemoteFile instance.
    /// </summary>
    /// <returns>
    /// 
    /// The WebRequest should not be passed outside of this instance, as it will allow tampering. Anyone
    /// that needs more fine control over the downloading process should probably be using the WebRequest
    /// class on its own.
    /// 
    /// </returns>
    private WebRequest GetWebRequest()
    {
        this.CheckCanDownload();

        if (this._webRequest == null)
        {
            var request = (HttpWebRequest)WebRequest.Create(this.Uri);
            request.Headers["Accept-Encoding"] = "gzip";
            request.Headers["Accept-Language"] = "en-us";
            request.UserAgent = "   Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0";
         //   request.Headers.Add("user-agent", "   Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0");
            request.Credentials = CredentialCache.DefaultNetworkCredentials;
            request.AutomaticDecompression = DecompressionMethods.GZip;

            if (this.TimeoutLength > 0)
            {
                request.Timeout = this.TimeoutLength;
            }
            this._webRequest = request;
        }

        return this._webRequest;

    }
Thanks