Fresh Install (?with mod_security?) -> Internal server error (500)
Hi All.
I am really impressed by the projectpier and want to use it with some friends (online collaboration.) I've used PP without problems on my home server. However I cannot get it to function properly on a rented 'online' server. I tried copying over my mysql db and the files from my homeserver. And also tried a fresh install, this went without a glitch, no warnings or errors. But...
whenever a link contains 'redirect_to=' , i get a Internal server error page. Other pages work fine.
Things i tried:
1 - I've seen these errors before while perl scripting, usually it came done to either a malfunctioning script or permission issues.
1a It can't be because of a defective script, as i tried both a fresh install (which completed flawlessly) and also copied over a working version from my homeserver.
1b I've temporarily set the permissions of all files and directories to 777 ('everybody can do everything') . Not recommended security-wise :-)
2 I also copied the files and db from the webserver to my home server. Changing offcourse define('ROOT_URL', in the config file. This also worked. Ergo the files and the DB on the server must be okay.
So it seems the problem resides in the apache config somewhere.
Going through the error logs I found this:
[error] [client myip] mod_security: Access denied with code 500. Pattern match "\\\\.php\\\\?.*=(http|https|ftp)\\\\:/.*\\\\?"
at REQUEST_URI [hostname "myhostname"]
[uri "/index.php?c=account&a=edit_password&id=3&redirect_to=http%3A%2F%2Fmyhostname%2Findex.php%3Fc%3Duser%26a%3Dcard%26id%3D3"]
This leads me to believe that mod_security and PP dont play nice together. The input filtering done by mod_security probably doesn't like the feeding of URLs the php scripts. But I am no security expert.
Any suggestions on how to proceed? Turning of mod_security is not an options (not that i would want to) because I don't have that level of control over the server.
php PHP Version 5.2.3
server Apache/2.0.54 (Fedora) (with mod_security enabled )
First, just wanted to say you did a good job explaining what the problem is and what you've done already. Wish more posters took the time.
Past that, I don't have much experience with mod_security but I would guess that it is interpreting this as a possible XSS risk or something and is the reason for the rejection. So, 2 things:
- Talk with your web hosting provider about the issue and see what they suggest and if they can provide you with a work around or possibly making a tweak to the mod_security settings for you.
- It is probably not unreasonable for us to find a more robust way to provide this functionality for PP that still works with mod_security, however this will take time and probably won't help you in the short term unless you're able to contribute a fix. Depending on what your host suggests, I would probably recommend submitting an issue about this with further details and a link to this post.