Error 403 if appostrophes in alttext field

  • Resolved cfrascadore

    (@cfrascadore)


    3 years, 3 months ago

    Hi,

    I would like to submit a serious bug that appears in the list of gallery images (page = nggallery-manage-gallery&mode=edit). I must have racked my brains and searched for a few hours before I put my finger on it.
    Here is what it is about: When we press the SAVE CHANGE or the SORT GALLERY button, the script trows an error and displays a page with 403 error if an apostrophe is used in the alttext field of the gallery list.
    In French, the use of the apostrophe is common. (ie. “the tree”=”l’arbre”, “the man”=”l’homme”, etc.)
    As in French, the use of the apostrophe isvery common, (ie. “the tree”=”l’arbre”, “the man”=”l’homme”, etc.), the error is likely to occur often.
    It can be reproduced by entering en appostrophe in the field (try l’homme).
    After submitting you will be taken to a page showing the error “403 – Forbidden – Access to this resource on the server is denied!”
    I tried the ascii codes [& # 39;] and [& # 146;] instead of the character itself but #39 still gives an error and the character [& # 146;], although it does not give an error, is misinterpreted by the browser.

    Thank you and best regards

    Claude Frascadore

    • This topic was modified 3 years, 3 months ago by cfrascadore.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Contributor Imagely

    (@imagely)

    Hi @cfrascadore,

    Usually that’d point to NextGen’s requests triggering a ModSecurity rule for some reasons ( mainly while using non-ASCII characters for the images’ titles ).

    Historically, we have found that it reports the same detection ID so respectively adding a rule to your site’s .htaaccess may potentially resolve the problem.

    You can remove that ModSec detection ID using a .htaaccess rule like the one from below. Going without this rule is absolutely fine and most of the web host aren’t even using ModSecurity at all:

    
<LocationMatch “/”>
SecRuleRemoveById 77229500
</LocationMatch>
    • This reply was modified 3 years, 3 months ago by Imagely.
    • This reply was modified 3 years, 3 months ago by Imagely.

    I’m having the same problem – suddenly. The gallery already had apostrophes in it and was working fine when it was created months ago, but when I added a few more images today, I found I couldn’t edit their titles.

    The problem only happens in the Alt/Title tag bit – if there’s an apostrophe in the description it all works fine. If there’s an apostrophe in the Alt/Title, I can neither save or sort.

    Plugin Contributor Imagely

    (@imagely)

    Hi @tig1960,

    Might be caused by ModSecuritybeing recently enabled from your hosting provider’s side. Please try using the same workaround we’ve suggested in the reply from the above and let us know if that helps.

    The work-around is not applicable in my case as I am on shared hosting, and SecRuleRemoveById is disabled by my hosting provider as per the error log:
    [TIMESTAMP] [core:alert] [pid 2571105] [client IP] /PATH/.htaccess: SecRuleRemoveById not allowed here, referer: URL
    I can see why they won’t allow just anybody to bypass ModSecurity.

    The error thrown by NextGen gallery refers to XSS and is clearly related to the use of an apostrophe in the alttext field. Thanks @cfrascadore for hunting this down, BTW!
    [TIMESTAMP] [:error] [pid 2571054] [client IP:PORT] [client IP] ModSecurity: Access denied with code 403 (phase 2). String match "'" at ARGS_POST:images[189][alttext]. [file "/etc/modsecurity/02_comodo/27_Apps_WPPlugin.conf"] [line "785"] [id "229500"] [rev "1"] [msg "COMODO WAF: XSS vulnerability in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress (CVE-2015-9229)||MAIN-URL|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "WPPlugin"] [hostname "HOSTNAME"] [uri "/PATH/wp-admin/admin.php"] [unique_id "YeP6XV1lCcDH05yHL-c3ygAAAGI"], referer: https://URI/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=6&_wpnonce=53aec984ac

    IMHO this should be fixed on the side of NGG because it is a systematic error affecting many users that seriously make use of image meta-data. Without any in-depth consideration this looks like a case for htmlentities() or htmlspecialchars(). Thanks for your consideration, @imagely!

    sm8ps

    (@sm8ps)

    As a (stupid) work-around, I have replaced the back-tick (`) instead of the apostrophe (‘). Nevertheless, I do think that @imagely should take care of the problem.

    This problem is still happening, some 6 months after it was first reported. Very annoying.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Error 403 if appostrophes in alttext field’ is closed to new replies.