- Posts: 6
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
MOD SECURITY configuration issues with LIME SURVEY
- boses.ph
- Topic Author
- Offline
- New Member
Less
More
1 year 6 months ago #232972
by boses.ph
MOD SECURITY configuration issues with LIME SURVEY was created by boses.ph
Please help us help you and fill where relevant:
Your LimeSurvey version: I have three versions installed: Version 3.28.30+220927 and Version 5.4.7+221019 and Version 3.28.32+221011
Own server or LimeSurvey hosting: Own server
Survey theme/template: 5.4.7 is using fruity and sea green. my 3.28.32 is using vanilla+dark sky. my 3.28.30 is using vanilla+black pearl
==================
(Write here your question/remark)
May we ask for your help guys? When we import lss files or even just lsq files on all three ls versions, we get "403 forbidden errors" (ver 3) and "Internal error from saveFormWithAjax: no data.responseJSON found" errors (ver 5) when we try to edit the resulting imported surveys.
But when we create new surveys, there are no errors when we edit anything.
Also when we totally turn off MOD SECURITY for the affected domains, there are no errors.
When we tried to keep mod security on but edit some mod security rules (95007, 973306 and 123412), it fixed errors when editing certain types of questions on the imported surveys but when we load other surveys and other questions with other types of questions, the errors persist.
We tried importing the same lss and lsq in limesurvey.net, and there are absolutely no errors when we are editing.
The "forbidden 403" erros persist even when we try and change the logos of limesurvey (so the error is not just confined to importing surveys).
The culprit we believe is MOD SECURITY and its configurations.
Any advice and suggestions would be so greatly appreciated.
Thank you very much.
Your LimeSurvey version: I have three versions installed: Version 3.28.30+220927 and Version 5.4.7+221019 and Version 3.28.32+221011
Own server or LimeSurvey hosting: Own server
Survey theme/template: 5.4.7 is using fruity and sea green. my 3.28.32 is using vanilla+dark sky. my 3.28.30 is using vanilla+black pearl
==================
(Write here your question/remark)
May we ask for your help guys? When we import lss files or even just lsq files on all three ls versions, we get "403 forbidden errors" (ver 3) and "Internal error from saveFormWithAjax: no data.responseJSON found" errors (ver 5) when we try to edit the resulting imported surveys.
But when we create new surveys, there are no errors when we edit anything.
Also when we totally turn off MOD SECURITY for the affected domains, there are no errors.
When we tried to keep mod security on but edit some mod security rules (95007, 973306 and 123412), it fixed errors when editing certain types of questions on the imported surveys but when we load other surveys and other questions with other types of questions, the errors persist.
We tried importing the same lss and lsq in limesurvey.net, and there are absolutely no errors when we are editing.
The "forbidden 403" erros persist even when we try and change the logos of limesurvey (so the error is not just confined to importing surveys).
The culprit we believe is MOD SECURITY and its configurations.
Any advice and suggestions would be so greatly appreciated.
Thank you very much.
Please Log in to join the conversation.
- boses.ph
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
1 year 6 months ago #232978
by boses.ph
Replied by boses.ph on topic MOD SECURITY configuration issues with LIME SURVEY
sorry here are our apache, php and mysql versions:
Apache:
Apache/2.4.54
PHP:
7.4.5
MySQL:
10.2.44-MariaDB
Apache:
Apache/2.4.54
PHP:
7.4.5
MySQL:
10.2.44-MariaDB
Please Log in to join the conversation.
- tpartner
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 10103
- Thank you received: 3593
1 year 6 months ago #232986
by tpartner
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
Replied by tpartner on topic MOD SECURITY configuration issues with LIME SURVEY
Are the directory permissions correct?
- manual.limesurvey.org/Installation_-_Lim...irectory_permissions
- manual.limesurvey.org/Installation_-_Lim...irectory_permissions
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
Please Log in to join the conversation.
- boses.ph
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
1 year 6 months ago #233016
by boses.ph
Replied by boses.ph on topic MOD SECURITY configuration issues with LIME SURVEY
Thank you Tony!
Upon checking our directory permissions are 755.
The permission of tmp and upload ** folder is 777, and **application/config folder permission is 755.
But how is it that when we disable totally the mod-security on the affected domain all the errors disappear?
Upon checking our directory permissions are 755.
The permission of tmp and upload ** folder is 777, and **application/config folder permission is 755.
But how is it that when we disable totally the mod-security on the affected domain all the errors disappear?
Please Log in to join the conversation.
- tpartner
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 10103
- Thank you received: 3593
1 year 6 months ago #233024
by tpartner
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
Replied by tpartner on topic MOD SECURITY configuration issues with LIME SURVEY
Sorry, the PHP modules are beyond my little brain.
Cheers,
Tony Partner
Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
The following user(s) said Thank You: DenisChenu
Please Log in to join the conversation.
- jelo
- Offline
- Platinum Member
Less
More
- Posts: 5033
- Thank you received: 1257
1 year 6 months ago #233098
by jelo
The quality and future of some rules is unclear.
You didn't mentioned what ruleset you're using.
You can disable rules e.g. per URL, per folder or per domain. That way you don't need to give up the rule completely on a server.
LimeSurvey will trigger modsecurity rules and you need to disable rules. That is normal and not a sign of a misconfiguration somewhere else.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Replied by jelo on topic MOD SECURITY configuration issues with LIME SURVEY
You will need to continue to disable certain rules. Over the years the AJAX parts in LimeSurvey and other tools trigger more and more rules.The culprit we believe is MOD SECURITY and its configurations.
Any advice and suggestions would be so greatly appreciated.
The quality and future of some rules is unclear.
You didn't mentioned what ruleset you're using.
You can disable rules e.g. per URL, per folder or per domain. That way you don't need to give up the rule completely on a server.
LimeSurvey will trigger modsecurity rules and you need to disable rules. That is normal and not a sign of a misconfiguration somewhere else.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Please Log in to join the conversation.
- boses.ph
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
1 year 5 months ago - 1 year 5 months ago #233337
by boses.ph
Replied by boses.ph on topic MOD SECURITY configuration issues with LIME SURVEY
Hello Jelo,
Thank you for these inputs and suggestions!
Our server is using [DELETED].
Is it safe to just completely disable MOD SECURITY on the domain where limesurvey is installed?
Thank you for these inputs and suggestions!
Our server is using [DELETED].
Is it safe to just completely disable MOD SECURITY on the domain where limesurvey is installed?
Last edit: 1 year 5 months ago by tpartner. Reason: OP request
Please Log in to join the conversation.
- jelo
- Offline
- Platinum Member
Less
More
- Posts: 5033
- Thank you received: 1257
1 year 5 months ago #233338
by jelo
To install and run ModSecurity is to protect against bugs and bad configurations in webapplications. It's a kind of a web application firewall (WAF).
If you disable ModSecurity on a domain you lower the issues around false positive protections and you higher the risk of getting victim of an attack via the web-application.
A ruleset is never 100% working for every kind of webapplication.
To disable ModSecurity completely domainwise when a few rules are false positive in a webapplication is the wrong approach. That way you end up with no ModSecurity at all.
You need to identify the nonworking rules and disable them URL or domainwise. Or you reduce the ruleset to your kind of webapplications.
Or motivate LimeSurvey developers to develop and test LimeSurvey against ModSecurity rulesets.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Replied by jelo on topic MOD SECURITY configuration issues with LIME SURVEY
I think you can answer the question on your own.Is it safe to just completely disable MOD SECURITY on the domain where limesurvey is installed?
To install and run ModSecurity is to protect against bugs and bad configurations in webapplications. It's a kind of a web application firewall (WAF).
If you disable ModSecurity on a domain you lower the issues around false positive protections and you higher the risk of getting victim of an attack via the web-application.
A ruleset is never 100% working for every kind of webapplication.
To disable ModSecurity completely domainwise when a few rules are false positive in a webapplication is the wrong approach. That way you end up with no ModSecurity at all.
You need to identify the nonworking rules and disable them URL or domainwise. Or you reduce the ruleset to your kind of webapplications.
Or motivate LimeSurvey developers to develop and test LimeSurvey against ModSecurity rulesets.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Please Log in to join the conversation.
- boses.ph
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
1 year 5 months ago #233341
by boses.ph
Replied by boses.ph on topic MOD SECURITY configuration issues with LIME SURVEY
Thank you Jelo!
Please Log in to join the conversation.
- DenisChenu
- Online
- LimeSurvey Community Team
Less
More
- Posts: 13630
- Thank you received: 2490
1 year 5 months ago #233439
by DenisChenu
@boses.ph : you server create log when there are modsecurity error, look at it : it shown if you can disable the modsecurity part or not.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic MOD SECURITY configuration issues with LIME SURVEY
Some part of modsecurity can not be used in system when you allow upload files for example.Or motivate LimeSurvey developers to develop and test LimeSurvey against ModSecurity rulesets.
@boses.ph : you server create log when there are modsecurity error, look at it : it shown if you can disable the modsecurity part or not.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Please Log in to join the conversation.