0

I am posting here because all other forum say it's a server environ issue.

I have a site with the ModX CMS on it hosted on a GoDaddy server (not sure about the specific setup is as client has forgotten login details). For some reason (mod_security?) I cannot save any string via the CMS that incorporates http:// or https:// to the MySQL database.

I've got similar sites (that are not hosted on GoDaddy) that work fine.

Is there some file or set up (Apache?) that blocks me from saving certain strings (URLs) to the MySQL database?

Video of problem: https://www.youtube.com/watch?v=dqlZbckGEiA

MeltingDog
  • 101
  • 1
  • Sounds more like a SQL issue. You should post the code and then we can migrate this to Stack Overflow. – John Conde Oct 29 '14 at 23:39
  • @JohnConde thanks, but I have already asked on Stack Overflow. It isnt really a code question, more of a server environment set up or server security question. I've altered the question but am not sure how I can make it clearer than it is. – MeltingDog Oct 29 '14 at 23:42
  • Ok, I'll reopen it and see what we get. – John Conde Oct 29 '14 at 23:43
  • Just checkin but you've issued yourself a SQL instance? because GoDaddy doesn't use localhost, it uses a remote instance DB server. – Simon Hayter Oct 29 '14 at 23:52
  • @bybe thanks, yeah the SQL works fine - I've installed the CMS successsfully and can save all other content fine. Its only when I include the characters 'http://' that I get into trouble – MeltingDog Oct 29 '14 at 23:53
  • Are you guessing that it's mod_security, or do you know that that's the issue? – Tim Fountain Oct 29 '14 at 23:59
  • @TimFountain I am guessing, based on what other (front end) forums have said – MeltingDog Oct 30 '14 at 00:00
  • Then I'd suggest your next step would be to see if mod_security (which is an Apache module) is installed/enabled, see here: http://superuser.com/questions/284898/how-to-check-which-apache-modules-are-enabled-installed – Tim Fountain Oct 30 '14 at 00:02
  • Have you ruled out that it's not the CMS that is blocking this? What error are you actually getting? If it's mod_security I would think that it's more likely blocking a form submission that contains this data, rather than the actual INSERT/UPDATE to the database? – MrWhite Oct 30 '14 at 00:25
  • @w3d I'm very sure it is not the CMS. I've used the same CMS countless times on other servers and its fine. Yes it could defiantly be blocking a form submission as that is how the CMS works - submitting forms with page content that updates the DB. – MeltingDog Oct 30 '14 at 00:37
  • What about ftp:// or just // itself or other similar strings. It may not be specific to http:// ? –  Oct 30 '14 at 00:38
  • Is the form being submitted by POST or GET? And you say the `http://` only has to be _part of_ a larger string submission? Presumably you are on a shared server? If it is a mod_security thing then this is not usually something that you have control over at an account/user level. (?) – MrWhite Oct 30 '14 at 00:48
  • @barrycarter just tried ftp:// then - same issue. // works though – MeltingDog Oct 30 '14 at 00:48
  • @w3d it appears to be POST. It doesnt seem to matter where http:// is - it can be by itself or part of a larger string. Yep, it's a shared server. Im guessing Im just going to have to ring up and ask GoDaddy to have a look? – MeltingDog Oct 30 '14 at 00:52
  • How about :// with no protocol? Dig around a bit to see if you can differentiate between what's blocked and what isn't. It could even just be the colon or something [insert 'blocked colon' joke here] –  Oct 30 '14 at 00:53
  • And what error are you getting exactly? @barrycarter lol – MrWhite Oct 30 '14 at 00:59
  • @barrycarter I tried `://` `test://` and `smtp://` it was happy with all of those – MeltingDog Oct 30 '14 at 01:10
  • 1
    @w3d I dont get an error, the page just seems to be caught in an infinite loop. Ive attached a video above. – MeltingDog Oct 30 '14 at 01:11
  • Ah OK, looks like an AJAX request (does the CMS not time out eventually with an error?). Are you able to check the network traffic in the Object Inspector? If it's mod_security, the server is likely blocking the request and simply returning a 406, or even 500 status code. – MrWhite Oct 30 '14 at 01:25
  • Try "http" by itself with no colon, and then try replacing the colon and/or slashes with `:` and `/` respectively. –  Oct 30 '14 at 01:27
  • @barrycarter it was fine with `http` and even `http:/` and `http:::` so it must definitely be identifying the string `http://` – MeltingDog Oct 30 '14 at 01:31
  • 1
    It sounds like you need to check the mod security rules in place. There are some default rules that disallow sql injections via http which I am sure you are running into. BTW- ModSecurity is an application that hooks into Apache and behaves like a module, but is not actually an Apache module per se'. https://www.modsecurity.org/ – closetnoc Oct 30 '14 at 19:42

0 Answers0