Webinator Admin Panel 403 errors

[rjshelq]

I'm having an odd problem with my Webinator 27.2.0 admin panel. I can log in normally, I can go to any of my profiles, and everything looks normal, but when I click the "Update Live and Test" button on a Search Settings page, or click "Update" button on the Walk Settings page, the URL becomes:

https://example.com/cgi-bin/texis/webin ... pdate.html

and I get an http 403 Forbidden error.

The browser back arrow takes me back to:

https://example.com/cgi-bin/texis/webin ... kfeel.html

and everything again seems normal, until I click the "Update Live and Test" button on a Search Settings page, or click "Update" button on the Walk Settings page and get another 403 error.

Everything was working fine when I did the setup last summer, but now it is quite broken. The search engine is working fine, and it has been running all scheduled walks properly.

Where is this "update.html" file that it is trying to access? Do you have any clues about why this might have started happening?

[rjshelq]

I have tried multiple browsers, and have rebooted the server, but still get the same 403 error message.

I'm beginning to suspect that the issue may be related to https. On this server, all connections are upgraded to https by Apache directives, so I can't log in on http to test this theory.

Is there any known problem caused by logging in to the Webinator 27.2.0 Admin panel using https? If so, is there a workaround?

[John]

Webinator itself shouldn't be producing 403 errors. I'm not sure if you can check the Apache error.log to see if it is denying the request and gives a reason. The URLs themselves look correct, and the CGI should find the update.html inside the dowalk script. The only different is that the update.html will get a POST, whereas the lookfeel.html a GET. Is it possible that the directives are trying to rewrite the POST even if it's already https?

You could also look under System / Information / System Information at the Client tab to see if the headers look correct.

[rjshelq]

Thank you for your kind and helpful reply.

I found that the root of the problem was an Apache module called ModSecurity, which apparently thought that the nonce used in your update.html page address looked like some kind of a naughty XSS trick, so ModSecurity blocked the connection and put up the 403 error message.

In case anyone else encounters such a ModSecurity issue, here's my solution:

Since I normally connect to Webinator from a static ip address, I solved the problem by adding an Apache config statement which turns off ModSecurity for connections from my ip address.

# Check if the remote client IP matches your specific admin IP
<If "%{Remote_Addr} == 'MY_ACCESS_IP_ADDRESS'">
# Turn off ModSecurity rules processing for requests from this IP
SecRuleEngine Off
</If>

[John]

Thanks for updating. The nonce is there to protect against Cross-Site Request Forgery (CRSF) attacks.