[zoogiedus plex]

Sorry, it seems as if I've nothing better to do but report problems all day...but nevertheless, the most bizarre error I have ever encountered happened today...I was working on a saved draft in wordpress, finished, and pressed "Save and Continue Editing."

I got delivered to a 403 forbidden page, telling me I had no permission to access /blog/wp-admin/post.php, and that a 404 was encountered while handling the request.

So I got into SmartFTP and did something very inadvisable and desparate; I changed the CHMOD of the file in question to 7777 (it's since been changed back )...still no luck.

The Write page worked perfectly. In fact, I could get into same draft (albeit the saved draft version was about half completed), and could add stuff to it...I added "dsdsf" and it saved perfectly.

So I added the next paragraph from the full version of the post.

No problems.

So I added the next one. Uh-oh! Error. I began the agonizing process of adding sentence by sentence until I located the sentence that was apparently triggering the error:

Wherefore did zoogie curl up in yonder bed, wrapped in such a heavy blanket?

(I'm kinda wondering this myself; it's over 90 degrees in my room, but anyway...)

I changed one of the words - 'bed' to 'bunk.' No luck. I deleted that sentence and rephrased it to this:

Wherefore did zoogie sequester himself thus?

(This post was actually moderately fun to write)

Bingo! It worked. I pasted the entire rest of the post after the newly replaced sentence, and had my article, fully working, without hitch.

Poking around Google, I found a wordpress support forum article detailing the problem, dated around february this year. Apparently it has something to do with updating the Zend Optimizre...which perfectly explains why one sentence triggered a 403 forbidden for /wp-admin/post.php....not.

Curious, I attempted to append the sentence ("Wherefore did zoogie curl up in yonder bed, wrapped in such a heavy blanket?") to a previous post, by copying and pasting. 403 error. Perhaps it was some error with that one particular...typing of it...if you get what I mean. So I rewrote it completely at the end of a post - and no luck!

Baffled completely, I decided to experiment. I replaced the word "curl" with "jump," never mind that the sentence does not make sense. Presto! It works.

I deleted that, and wrote "Curl up." 403 forbidden! I deleted the "up" and left it at "curl." It works.

So it seems to me to be some sort of conspiracy against the phrase "curl up." Is this an ASO server-side issue? A wordpress issue? Something specific to my install? Or what?

For those interested, the post can be found here.

[jaseone]

I had a similar issue recently, it seems there is something server side checking for certain strings with things like wget and curl in them, which are both command line programs for retrieving URL's.

Haven't hade a chance to investigate further yet or how to fix it but it is very bizarre it turns up when you use those words as part of a POST request in a form field.

[jaseone]

Okay did some more digging and it looks like it is due to a setting in mod_security, can you have a look in your cPanel under error logs to see what entries you have there related to this problem? For some reason my error log is blank right now.

[MacManX]

From what I've heard on the WordPress Support Forums, there's a bit of a bug going around that causes odd things to happen when your posts contain certain PHP commands such as "curl" and "wget". Unfortunately, no bug reports have been filed. If you feel confident that you have enough information to support your bug report (WordPress setup details, server details, and error logs), please follow these instructions on how to file a WordPress bug report. Here are a few related posts from the WordPress Support Forums:

http://wordpress.org...ort/topic/37489

http://wordpress.org...ort/topic/21975

[v0id]

haven't curl and wget been blocked since the phpbb worm incident?

[jaseone]

From what I've heard on the WordPress Support Forums, there's a bit of a bug going around that causes odd things to happen when your posts contain certain PHP commands such as "curl" and "wget".  Unfortunately, no bug reports have been filed.  If you feel confident that you have enough information to support your bug report (WordPress setup details, server details, and error logs), please follow these instructions on how to file a WordPress bug report.  Here are a few related posts from the WordPress Support Forums:

http://wordpress.org...ort/topic/37489

http://wordpress.org...ort/topic/21975

I'm pretty sure it isn't a bug with Wordpress at all but rather the mod_security module in Apache that is filtering all requests to the server for words that are often used in exploits and as curl & wget are used to retrieve URL's from the command line then they are quite the useful tools for hackers to get their code onto servers by calling them remotely.

I think v0id might be on to something and hence I'm not sure if there is much that can be done about it and still ensure the security of the servers. You know I really despise this world where everything must be locked up and secured like Fort Knox because of the actions of a few...

[MacManX]

haven't curl and wget been blocked since the phpbb worm incident?

I don't believe that the functions have been entirely blocked. For example, WordPress v1.5.1.2 uses cURL (rather than fopen() ) to send/receive pingbacks and trackbacks, and I haven't had any trouble with those. It has to be somehow related specifically to the posting process when it contains words like "cURL" and "wget".

[jaseone]

haven't curl and wget been blocked since the phpbb worm incident?

I don't believe that the functions have been entirely blocked. For example, WordPress v1.5.1.2 uses cURL (rather than fopen() ) to send/receive pingbacks and trackbacks, and I haven't had any trouble with those. It has to be somehow related specifically to the posting process when it contains words like "cURL" and "wget".

It is due to any requests (both GET & POST) made to the server being filtered through the Apache module mod_security where there must be filters set for:

wget "anything"

and

curl "anything"

If you have wget or curl on their own lines then it doesn't seem to get caught otherwise you get a 403 error thrown.

Wordpress can use curl internally though as that is on the server side and it isn't being called (well not directly anyway) through a GET or POST request, the protection with mod_security is so hackers can't craft a GET or POST request to execute curl or wget on the server.

/me wonders if this post will get blocked and if not then why not? Does this server have different settings for mod_security?

[jaseone]

Found a workaround...

instead of doing:

curl anything
or
wget anything

Do:

curl anything
or
wget anything

Then that will get you through mod_security and still make your post look how you want it to, admittedly a bit of a pain if you are using curl as part of a normal sentence but at least the workaround will let you do so.

[vassie]

I'm having the same problem, however I found this over at wordpress.org

http://wordpress.org...ort/topic/19392

Looks like it's a problem with Zend

Ben

[6th]

Argh!!!

I just wasted 20 minutes trying to figure out why leaving a comment on my own blog was throwing a 403 error. I could leave comments on other blogs hosted on the same server and there were no changes to files or permissions (which I doublechecked, anyway). I finally remembered hearing about this issue and looked at the text of my comment. Sure enough, I had entered "curl up with a book" in there.

"wget" isn't a word you use in normal conversation, but curl is. Is this something that should be readdressed? Would removing the curl restriction really be a security problem?

[djrk111]

Argh!!!

I just wasted 20 minutes trying to figure out why leaving a comment on my own blog was throwing a 403 error. I could leave comments on other blogs hosted on the same server and there were no changes to files or permissions (which I doublechecked, anyway). I finally remembered hearing about this issue and looked at the text of my comment. Sure enough, I had entered "curl up with a book" in there.

"wget" isn't a word you use in normal conversation, but curl is. Is this something that should be readdressed? Would removing the curl restriction really be a security problem?

Did you see Jason's solution above?

[6th]

It's not a solution.

I can use it if I really need to use that word in a post, but it's a crude workaround at best. I can't expect other users of the site to know why they've received an error or that it had anything to do with their wording, at all.

It's not like I'm going to get all huffy if it isn't done. One adult to another, I'm simply asking if this is something that can be looked into. If it really is a major security concern, then by all means leave the block in place. But if it was a temporary concern, maybe it can be relaxed.

[djrk111]

Yeah, I know it's not great.

If you're on a VPS or something, you could deal with it by changing the mod_security config.

Actually, you might be able to write something to deal with this. It couldn't be PHP because you'd have the post the writing to a script I think (even if it was the same page), but maybe there's a simple javascript way to do add the   before apache gets ahold of the text...

[Jeremy Banks]

Yeah, I know it's not great.

If you're on a VPS or something, you could deal with it by changing the mod_security config.

Actually, you might be able to write something to deal with this. It couldn't be PHP because you'd have the post the writing to a script I think (even if it was the same page), but maybe there's a simple javascript way to do add the before apache gets ahold of the text...

CODE

onsubmit="document.getElementById('comment').value = document.getElementById('comment').value.replace('{(curl|wget)(?= )}', '$1 ')"

Something like this?

[Dave E]

Another (perhaps cleaner) workaround for this: just enclose the offending word with a span. E.g:

CODE

Will the gibbons <span>curl</span> their lips?

Cheers,
Dave.