PHP image upload gives 403 error

[dopelherz]

Hi guys!
Recently I bought and installed LiteSpeed (VPS edition) instead of Apache for my php website, and here is the issue I ran into recently.
When I try to upload an image with a php script, I get a 403 error.

In logs I have:

ModSecurity: Access denied with code 403, [Rule: 'ARGS' '(fromCharCode|http-equiv|<.+>|innerHTML|dynsrc|-->)']
 [Msg: XSS attack]2013-05-29 08:29:53.566 [NOTICE] [106.190.249.252:51262-0#mony.com-SSL] Content len: 67683, Request line: 'POST /admin.php?Page=ProductDetails&DepartmentId=30&CategoryId=29&SubCategoryId=&ProductId=305 HTTP/1.1'
2013-05-29 08:29:53.566 [INFO] [106.190.249.252:51262-0#mony.com-SSL] Cookie len: 287, __g_u=297776609756684_5_1_0_5_1361756638628; __utma=158250417.553219480.1348561748.1367633288.1368407073.57; __utmz=158250417.1357436912.28.2.utmcsr=yandex|utmccn=(organic)|utmcmd=organic|utmctr=%D1%84%D1%83%D0%BA%D0%BE%D0%B8%D0%B4%D0%B0%D0%BD; PHPSESSID=406ef92bd2f641a621ad80f4d1cdec5f
2013-05-29 08:29:53.566 [INFO] [106.190.249.252:51262-0#mony.com-SSL] abort request..., code: 4

Does anybody know what I should do? What is the correct way to go with mod_security?

Thanks.

 

[mistwang]

Those default "Request filter" rules should be disabled.
http://www.litespeedtech.com/docs/webserver/config/reqfilter/

 

[dopelherz]

Hi, thanks for your reply.
My litespeed is configured through the web console.
Could you please specify, how I should disable those rules.
Thank you.

 

[NiteWave]

Could you please specify, how I should disable those rules.

admin console->Serer->Request Filter->Request Filtering Rule Set

please ensure all rules under it are disabled
or just delete them.

 

[dopelherz]

Hi,
I disabled the rules as you said, and now I have this:

Please forward the following debug information to bug@litespeedtech.com.
Environment:

Server: LiteSpeed/4.2.2 Enterprise
OS: Linux
Release: 2.6.32-279.5.2.el6.x86_64
Version: #1 SMP Fri Aug 24 01:07:11 UTC 2012
Machine: x86_64

If the call stack information does not show up here, please compress and forward the core file located in /tmp/lshttpd/.

[New Thread 14299]
[New Thread 14300]
[New Thread 14301]
[Thread debugging using libthread_db enabled]
Core was generated by `litespeed'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000482416 in SecRuleSets::getPhases (this=0x0) at /home/gwang/release/httpd/httpd/http/secrule.h:722
in /home/gwang/release/httpd/httpd/http/secrule.h
#0 0x0000000000482416 in SecRuleSets::getPhases (this=0x0) at /home/gwang/release/httpd/httpd/http/secrule.h:722
#1 0x00000000004a1772 in SecEngine::execute (this=0x1263610, pRuleSets=0x0, pConn=0x1252c90, phase=4, scanPost=2) at /home/gwang/release/httpd/httpd/http/secengine.cpp:998
#2 0x00000000004c17d3 in HttpConnection::readReqBody (this=0x1252c90) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:497
#3 0x00000000004c5839 in HttpConnection:nReadEx (this=0x1252c90) at /home/gwang/release/httpd/httpd/http/httpconnection.cpp:2130
#4 0x000000000046cf30 in HttpIOLink::doReadT (this=0x1252c90) at /home/gwang/release/httpd/httpd/http/httpiolink.h:147
#5 0x000000000046bc9d in HttpIOLink:nReadSSL_T (pThis=0x1252c90) at /home/gwang/release/httpd/httpd/http/httpiolink.cpp:1082
#6 0x0000000000469e52 in HttpIOLink::handleEvents (this=0x1252c90, evt=1) at /home/gwang/release/httpd/httpd/http/httpiolink.cpp:167
#7 0x0000000000507530 in epoll::waitAndProcessEvents (this=0x12a1c40, iTimeoutMilliSec=100) at /home/gwang/release/httpd/httpd/edio/epoll.cpp:271
#8 0x0000000000457a90 in EventDispatcher::run (this=0x1260208) at /home/gwang/release/httpd/httpd/http/eventdispatcher.cpp:225
#9 0x000000000041534b in HttpServerImpl::start (this=0x12601e0) at /home/gwang/release/httpd/httpd/main/httpserver.cpp:492
#10 0x000000000041859b in HttpServer::start (this=0x8b34f0) at /home/gwang/release/httpd/httpd/main/httpserver.cpp:1917
#11 0x000000000040efbb in LshttpdMain::main (this=0x125fe20, argc=1, argv=0x7fff89f38588) at /home/gwang/release/httpd/httpd/main/lshttpdmain.cpp:1840
#12 0x000000000040a73f in main (argc=1, argv=0x7fff89f38588) at /home/gwang/release/httpd/httpd/main.cpp:124

 

[NiteWave]

the issue may have been fixed in 4.2.3 release.

please try manually upgrade to 4.2.3 to see if it disappears:

#/usr/local/lsws/admin/misc/lsup.sh -v 4.2.3

 

[dopelherz]

hi!
I upgraded and the issue seem to have been resolved.
Please tell what are the security implications with all these rules disabled?
Thank you.

 

[dopelherz]

Also, there is one little issue with the updated version - it does not reload with the graceful restart option in the web console. Command line reload works fine.
Thanks.

 

[webizen]

all the rules disabled means no mod_security protection.

you can try force re-install 4.2.3 and see if graceful restart is ok in gui.

 

[HillaryBlake]

Going through above answers, if you still experiencing the issue, please uninstall the current version and try to re-install it. Hope it will work fine.