editing error message on Save

I'm using version 1.0.3 and have used it successfully for almost a year now. Just this week its started giving an error message when I click the save button after editing the description etc for a photo. The error message is:

Precondition Failed
The precondition on the request for the URL /zen/admin.php evaluated to false.

Apache/1.3.33 Server at www.snowdropstudios.co.uk Port 80

Anyone any ideas why this has started all of a sudden?

Comments

  • This is almost certainly a mod_security (which in crude terms is like a firewall for Apache) issue. Your host may have enabled mod_security at the global level for all domains. Certain words in your description may be triggering off mod_security to give a Precondition Failed or 412 Error when you POST.

    As a test try switching off mod_security either for your entire domain or just for Zenphoto by adding the following line in the relevant .htaccess file

    SecFilterEngine Off

    But this is only to diagnose. Switching off mod_security may make you vulnerable to spam and possibly injection attacks. If this works and the errors cease, you may have to craft a specific line for your .htaccess which stops the error but does not entirely disable mod_security.
  • Incidentally to check at the outset whether mod_security is running run a phpinfo script and check the output for instances of 'mod_security'.
  • Thanks so much, it seems you were right! With it disabled entirely the save option is now working fine.
    Any idea what sort of line we should code for stopping the error but not disabling the security entirely?

    Thanks very much for your help with this its really appreciated

    Regards
    Anne
  • This is trickier. I did some searching on the web for mod_security and forms and also looked at your site. Assuming that words like "poppy" or "poppies" in your descriptions are found to be objectionable by mod_security, you could try adding the following 2 lines to .htaccess:

    SecFilterEngine On
    SecFilterSelective "POST_PAYLOAD" "poppy" "poppies" "allow,nolog"

    instead of:

    SecFilterEngine Off

    Please add any other words like "poppy" or "poppies" in double quotes.

    It is a long shot and is contingent upon your being able to guess all such words since you never know for sure. You could also consider contacting your host and ask them what is being flagged.
  • Actually the syntax should be:

    SecFilterEngine On
    SecFilterSelective "POST_PAYLOAD" "poppy" "allow,nolog"
    SecFilterSelective "POST_PAYLOAD" "hot red poppies" "allow,nolog"
    SecFilterSelective "POST_PAYLOAD" "any other string" "allow,nolog"

    etc.
  • Hello,

    Glad I found this thread - I'm experiencing exactly this problem. When I turn the filter completely off the page loads, but I cannot get it to work/ find out (waiting for reply from hosting provider) what keyword phrase I need to include for the selective filtering. I've tried all the keywords in the filename, including the entire filename. Any suggestions?

    Thanks,
    Alex
  • I don't know what else to add. Maybe Tristan, @thinkdreams or @chilifrei can help.

    You may also want to investigate the real (versus perceived) benefits of mod_security. I have not really looked into it myself. Maybe it is an urban myth and even a moderately sophisticated attacker can bypass it with ease. If so, just disable it.

    Recently I came to the same conclusion about PC software firewalls. I don't think they protect anything except their own bottom lines when they sell you a new subscription every year. In the meanwhile your PC is brought down to its knees by the firewall's memory and CPU needs. Plus you get scary looking pop-ups about how the firewall saved you from 10 attackers in the last 10 minutes which I consider to be completely manipulative.
  • trisweb Administrator
    I tend to agree -- I'm not sure of any real benefit from mod_security... if you have insecure scripts on your site, a determined attacker can find ways to exploit them anyway I'm sure. The real security comes from well-patched server software and PHP scripts without XSS/SQL-injection attacks.

    But I am interested to see if it's Zenphoto causing mod_security to go off... I'll have to test it out.
Sign In or Register to comment.