A while back I was contacted by a user who had deployed wpGForm on their site with a problem they wanted my help with. In looking at it I was absolutely stumped as to why it wasn’t working. Nothing appeared obvious – when the form was submitted, the form would be displayed again as if for the first time. In the process of chasing down this problem I’ve added quite a bit of debug code but in the end, I found Firebug’s Net Panel incredibly useful.
In this particular case it was showing me that the form was being posted but a 403 Permission Denied response resulted. Why? The exact same URL worked to show the form, why wasn’t it working to process the form? I ended up separating the rendering and processing part of the plugin thinking this was the problem (like it was on a site a couple of weeks ago) but it didn’t make any difference (although it was the right thing to do). I was still getting 403 problems.
I was working closely with the site owner, they were nice enough to allow me to really dig into their site. What did I find? A bunch of plugin and theme minor issues that I chased thinking they were conflicting somehow to no avail. I ended up opening a ticket with the hosting provider and once we clarrified the problem, they sent me so error log information:
[error] ModSecurity: Access denied with code 403 (phase 2).Match of "rx
://%{SERVER_NAME}/" against "MATCHED_VARS:gform-action" required.
[file "/usr/local/apache/conf/modsec/10_asl_rules.conf"]
[line "489"]
[id "340162"]
[rev "262"]
[msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Remote File Injection attempt
in ARGS (AE)"] [data "
https://docs.google.com/spreadsheet/formresponse?formkey=dhzsutftwllwzwf6lwd
yb0xcmkzsogc6mq&ifq
"]
[severity "CRITICAL"]
[hostname "lanaddicts.org"]
[uri "/test-form/"]
[unique_id "UAbUbnrJTaEAAHtoboQAAAAG"]
Wow! At first I didn’t know what to make of this. A Google Search led me to this Atomic Corp Wiki. I decided that the Apache Security Module must not like the Google Form URL that I need to carry around through the process in order to submit the form variables to Google. I decided to encode it and then decode it when needed to see if that would satisfy the Apache Security Module.
Guess what? It works!!!! This is a big relief as I have another user with almost the exact same error being reported and I am betting my updated plugin will fix their problem too.
If you want to try out an early build while I continue to test, you can find one here.