Please help us help you and fill where relevant:
Your LimeSurvey version: I have three versions installed: Version 3.28.30+220927  and  Version 5.4.7+221019  and  Version 3.28.32+221011
Own server or LimeSurvey hosting: Own server
Survey theme/template: 5.4.7 is using fruity and sea green.  my 3.28.32 is using vanilla+dark sky.  my 3.28.30 is using vanilla+black pearl
==================
(Write here your question/remark)

May we ask for your help guys?  When we import lss files or even just lsq files on all three ls versions, we get "403 forbidden errors" (ver 3) and "Internal error from saveFormWithAjax: no data.responseJSON found" errors (ver 5) when we try to edit the resulting imported surveys.

But when we create new surveys, there are no errors when we edit anything.

Also when we totally turn off MOD SECURITY for the affected domains, there are no errors.

When we tried to keep mod security on but edit some mod security rules (95007, 973306 and 123412), it fixed errors when editing certain types of questions on the imported surveys but when we load other surveys and other questions with other types of questions, the errors persist.  

We tried importing the same lss and lsq in limesurvey.net, and there are absolutely no errors when we are editing.

The "forbidden 403" erros persist even when we try and change the logos of limesurvey (so the error is not just confined to importing surveys).

The culprit we believe is MOD SECURITY and its configurations.

Any advice and suggestions would be so greatly appreciated.

Thank you very much.

sorry here are our apache, php and mysql versions:
Apache:
Apache/2.4.54
PHP:
7.4.5
MySQL:
10.2.44-MariaDB

Are the directory permissions correct?

- manual.limesurvey.org/Installation_-_Lim...irectory_permissions

Thank you Tony!

Upon checking our directory permissions are 755.
The permission of tmp and upload ** folder is 777, and **application/config folder permission is 755.

But how is it that when we disable totally the mod-security on the affected domain all the errors disappear?

Sorry, the PHP modules are beyond my little brain.

boses.ph wrote:

The culprit we believe is MOD SECURITY and its configurations.
Any advice and suggestions would be so greatly appreciated.
 

You will need to continue to disable certain rules. Over the years the AJAX parts in LimeSurvey and other tools trigger more and more rules.
The quality and future of some rules is unclear.
You didn't mentioned what ruleset you're using.

You can disable rules e.g. per URL, per folder or per domain. That way you don't need to give up the rule completely on a server.

LimeSurvey will trigger modsecurity rules and you need to disable rules. That is normal and not a sign of a misconfiguration somewhere else.

 

Hello Jelo,
Thank you for these inputs and suggestions!
Our server is using [DELETED].

Is it safe to just completely disable MOD SECURITY on the domain where limesurvey is installed?

boses.ph wrote:

Is it safe to just completely disable MOD SECURITY on the domain where limesurvey is installed?
 

I think you can answer the question on your own.
To install and run ModSecurity is to protect against bugs and bad configurations in webapplications. It's a kind of a web application firewall (WAF).
If you disable ModSecurity on a domain you lower the issues around false positive protections and you higher the risk of getting victim of an attack via the web-application.
A ruleset is never 100% working for every kind of webapplication.
To disable ModSecurity completely domainwise  when a few rules are false positive in a webapplication is the wrong approach. That way you end up with no ModSecurity at all.
You need to identify the nonworking rules and disable them URL or domainwise. Or you reduce the ruleset to your kind of webapplications.
Or motivate LimeSurvey developers to develop and test LimeSurvey against ModSecurity rulesets.

Thank you Jelo!

jelo wrote:

Or motivate LimeSurvey developers to develop and test LimeSurvey against ModSecurity rulesets.
 

Some part of modsecurity can not be used in system when you allow upload files for example.

@boses.ph : you server create log when there are modsecurity error, look at it : it shown if you can disable the modsecurity part or not.