Describe the issue or problem
The popup window for assigning participants to an article, the list of users does not load. The request returns an HTTP 403 error code (img attached) and the following error message is displayed:
[Mon Oct 07 20:05:23 2024] [error] [client 83.56.126.245] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\bselect\\b.{0,40}\\buser\\b" at REQUEST_FILENAME. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "67"] [id "959514"] [rev "2.1.1"] [msg "Blind SQL Injection Attack"] [data "select/user"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "revistacubanadefisica.org"] [uri "/index.php/rcf/$$$call$$$/grid/users/user-select/user-select-grid/fetch-grid"] [unique_id "ZwQi4-0wNI5U3pMtxPBswQAAAIQ"]
Looking around in the forums, the most probably cause of this error is because the mod_security
module of apache detects that request as a malicious attack. I contacted the hosting administrator to create a rule to ignore the false positive, but it was strongly denied.
I would like to know if there is any solution to the error that does not involve modifying the server configuration? If this way of getting the data is new in OJS 3.4?
any help is welcome.
Regards.
Steps I took leading up to the issue
- Login user.
- Go to ‘Submissions’.
- Go to ‘Unassigned’ tab.
- Click on ‘View’ button of a pending submission.
- Click on ‘Production’ tab in the ‘Workflow’ tab.
- Click on ‘Assign’ button in the ‘Participants’ block.
- See error: ‘Loading’ is not hidden.
What application are you using?
OJS 3.4.0-7
Additional information
Image of error in the assignment popup: