mbrando Posted November 29, 2022 Share Posted November 29, 2022 Why do I get 403 Forbidden when posting to community? 0 Quote Link to comment Share on other sites More sharing options...
DennisHermannsen Posted November 29, 2022 Share Posted November 29, 2022 It's most likely because the server's ModSecurity rules thinks your message is suspicious if you post any code. It's a real pain in the ass. 0 Quote Link to comment Share on other sites More sharing options...
mbrando Posted November 29, 2022 Author Share Posted November 29, 2022 Thanks for the input, make sense. But why just a crappy black and white 403 forbidden page? You'd think with the deep pockets of WHMCS they'd create a better error trap so as to not confuse the user. They are a software company. The black and white 403 error is not an acceptable error anymore in production. Â 0 Quote Link to comment Share on other sites More sharing options...
RadWebHosting Posted November 30, 2022 Share Posted November 30, 2022 I'll agree. The 403 error page you described sounds like there's room for improvement. At least needs to be specific so users can make educated decisions on how next to proceed. I will say this, however, this community is not built by WHMCS in the slightest. It's built by Invision Community. 0 Quote Link to comment Share on other sites More sharing options...
mbrando Posted November 30, 2022 Author Share Posted November 30, 2022 5 hours ago, radwebhosting said: I'll agree. The 403 error page you described sounds like there's room for improvement. At least needs to be specific so users can make educated decisions on how next to proceed. I will say this, however, this community is not built by WHMCS in the slightest. It's built by Invision Community. Oh, I did not know that Invision Community was the community service provider. However, WHMCS still selected Invision Community as their community service provider. Maybe they will see this and fix the error trap. These days black and white error page with a number only are not acceptable for production. Just say, and maybe I'm complaining a little . 🙂 Stuff like this just bugs me.  0 Quote Link to comment Share on other sites More sharing options...
DennisHermannsen Posted November 30, 2022 Share Posted November 30, 2022 IPB is not the software that throws the 403 error. It's most likely ModSecurity. In many cases, it makes sense to check if the POST request contains code of any sort - but, in this case, it makes no sense in this case when the code is just plain text. 0 Quote Link to comment Share on other sites More sharing options...
bear Posted November 30, 2022 Share Posted November 30, 2022 57 minutes ago, mbrando said: These days black and white error page with a number only are not acceptable for production What's the problem with it? Do you prefer seeing a broken robot graphic like Google does or something like that? 0 Quote Link to comment Share on other sites More sharing options...
mbrando Posted November 30, 2022 Author Share Posted November 30, 2022 1 hour ago, bear said: What's the problem with it? Do you prefer seeing a broken robot graphic like Google does or something like that? My problem is it gives no reason why I'm given the 403 forbidden. PLUS its a white page no navigation or sign of where you are or were. Invision Community are going to through 403 forbidden errors when a user posts to the community, THEY know why but are are not sharing with the end user. So the end user keeps banging their head on the wall until they figure it out on their own. They should share what they know and tell the end user. 0 Quote Link to comment Share on other sites More sharing options...
bear Posted November 30, 2022 Share Posted November 30, 2022 Not revealing a 403 cause is actually desired in most cases. Someone looking to do "evil" on a site can use the information about why something is being blocked to tune the attack to evade the cause. To each his own, but it's actually beneficial. 0 Quote Link to comment Share on other sites More sharing options...
mbrando Posted November 30, 2022 Author Share Posted November 30, 2022 4 minutes ago, bear said: Not revealing a 403 cause is actually desired in most cases. Someone looking to do "evil" on a site can use the information about why something is being blocked to tune the attack to evade the cause. To each his own, but it's actually beneficial. Sure you always have the evil angle. But why would you not give the end user viewing the 403 navigation or continue the site branding. If you are mitigating evil with a 403 trap, then you can also take it to the next more user friendly level and simply strip the evil parts, no? an insert redacted or nothing. Just 403 is bad practice for end users on production systems. 0 Quote Link to comment Share on other sites More sharing options...
bear Posted November 30, 2022 Share Posted November 30, 2022 (edited) 5 hours ago, mbrando said: why would you not give the end user viewing the 403 navigation Using the back button usually suffices, no?  5 hours ago, mbrando said: If you are mitigating evil with a 403 trap, then you can also take it to the next more user friendly level and simply strip the evil parts, no? an insert redacted or nothing. Strip the "evil parts" and do what, exactly? In this case, take you to the post you attempted to make but without the bits that caused the 404? That would be more confusing, in my opinion. In my own experience, if I'm trying to post a thread that included "code" of some kind and the submission fails with an error, my first thought is generally "what in that was causing the problem?". A 403 is typically generated at the server level firewall (mod security, CSF etc), and not at the software level of a community ( << this was f-o-r-u-m in my post), so it's not like the server would know to complete your POST request without the bits it saw were an issue. Again, to each his own, but I personally don't see this as a mistake, with the exception of maybe including the branding, although telling someone "hey it looked like you tried to hack our server" while branding it is a little odd. 😉 Edited November 30, 2022 by bear 0 Quote Link to comment Share on other sites More sharing options...
mbrando Posted November 30, 2022 Author Share Posted November 30, 2022 5 minutes ago, bear said: Using the back button usually suffices, no?  Strip the "evil parts" and do what, exactly? In this case, take you to the post you attempted to make but without the bits that caused the 404? That would be more confusing, in my opinion. In my own experience, if I'm trying to post a thread that included "code" of some kind and the submission fails with an error, my first thought is generally "what in that was causing the problem?". A 403 is typically generated at the server level firewall (mod security, CSF etc), and not at the software level of a community ( << this was f-o-r-u-m in my post), so it's not like the server would know to complete your POST request without the bits it saw were an issue. Again, to each his own, but I personally don't see this as a mistake, with the exception of maybe including the branding, although telling someone "hey it looked like you tried to hack our server" while branding it is a little odd. 😉 No the back button does not suffice. You seem to be taking this personally. I was pointing out a design flaw that would make for a better user experience. Not everyone on the community here has 4000+ posts. Some of us have a day job and communicating here is to resolve an issue. Why are you so stuck on keeping a non-existing error trap? I'm only the messenger. I tried to make the community aware of what I see as a bad error trap. I'm not here to debate what color the page should be. Do with it what you will. It sounds like you are like the system 403 error page in black and white. Take it for just that. Have a nice day. 0 Quote Link to comment Share on other sites More sharing options...
bear Posted December 1, 2022 Share Posted December 1, 2022 I'm not taking anything personally here (but do have opinions, just like you), and the number of posts has nothing to do with someone's "worth" in discussions, but in my case is likely because of how long I've been here. I also have a day job, and believe me, it's not answering community (<< did not write "community" there) threads. 😉 As for the design flaw you suggest, it's a function of a server level protection, not WHMCS. Mod security looks at patterns and if it finds one that could potentially be harmful, it blocks the POST request. Lots of servers do this. Telling the submitter the specific cause of what triggered it would reveal a way to bypass it, so it's not included. 20 hours ago, mbrando said: Invision Community are going to through 403 forbidden errors when a user posts to the community, THEY know why but are are not sharing with the end user. It's not Invision doing it. 20 hours ago, mbrando said: So the end user keeps banging their head on the wall until they figure it out on their own. They should share what they know and tell the end user. See above. Have a great day. 0 Quote Link to comment Share on other sites More sharing options...
DennisHermannsen Posted December 1, 2022 Share Posted December 1, 2022 22 hours ago, mbrando said: My problem is it gives no reason why I'm given the 403 forbidden. PLUS its a white page no navigation or sign of where you are or were. And you shouldn't. The 403 error should never tell the visitor why they are not allowed to access a specific resource. The white page is default to the web server. The web server is serving you the error page but the WAF (most likely ModSecurity) is the software that tells the web serverto do this. All of this has nothing to do with the community software. It's annoying to get the 403 error, but there's a reason for it. When browsing the web, it's very rare that you need to send any kind of code towards a website. When you're submitting a post reply that includes some code, the WAF should block this request in most cases. Now, you could argue that WHMCS should modify the ruleset of the WAF to allow for code to be posted - but as a website admin, they have to consider every possible risk by doing this. I would rather throw a "false" 403 to a visitor than I would allow for visitors to potentially compromise the website or execute malicious code somewhere. 21 hours ago, mbrando said: But why would you not give the end user viewing the 403 navigation or continue the site branding. Because it's just how it works by default. A lot of website admins doesn't want to deal with it. 403 errors generally doesn't have it's own "page" that's implemented into the website itself. 16 hours ago, mbrando said: I tried to make the community aware of what I see as a bad error trap. I think everyone (including WHMCS) is aware at this point. The issue is that the 403 error is only thrown occasionally, thus making it difficult to debug. That, or WHMCS just doesn't care since the code sample could be uploaded to pastebin or a similar website. Fixing the false positive is a huge task, and you might introduce a security hole while fixing it. So, seen from the perspective of a web admin, it's totally understandable that nothing is done about this. For the visitor, it's just annoying.  Also, I don't see that bear is taking anything personally. He's just explaining why things might be the way they are. I think the issue is very annoying but I also understand the issue. Telling the visitor why their request was blocked is generally a bad idea. Security by obscurity 😎 0 Quote Link to comment Share on other sites More sharing options...
Kian Posted December 1, 2022 Share Posted December 1, 2022 This 403 error is the second reason why I started to use Github. The first one was the inability to edit own posts to update scripts. I don't get why they decided to block everything with WAF. Yes, yes security but come on. This community is not about wine or books. It's full of developers. What do they expect us to post? Recipes for donuts? 😩 Allowing legit code only takes some tunings. Or at least they could change the horrible 403 page to a custom one with a logo and a bit of style. The standard 403 makes everybody (or jus me?) tilt. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.