Error in apache mod_security when assigning participants to a submission

Describe the issue or problem

The popup window for assigning participants to an article, the list of users does not load. The request returns an HTTP 403 error code (img attached) and the following error message is displayed:

[Mon Oct 07 20:05:23 2024] [error] [client 83.56.126.245] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\bselect\\b.{0,40}\\buser\\b" at REQUEST_FILENAME. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "67"] [id "959514"] [rev "2.1.1"] [msg "Blind SQL Injection Attack"] [data "select/user"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "revistacubanadefisica.org"] [uri "/index.php/rcf/$$$call$$$/grid/users/user-select/user-select-grid/fetch-grid"] [unique_id "ZwQi4-0wNI5U3pMtxPBswQAAAIQ"]

Looking around in the forums, the most probably cause of this error is because the mod_security module of apache detects that request as a malicious attack. I contacted the hosting administrator to create a rule to ignore the false positive, but it was strongly denied.

I would like to know if there is any solution to the error that does not involve modifying the server configuration? If this way of getting the data is new in OJS 3.4?

any help is welcome.

Regards.

Steps I took leading up to the issue

  1. Login user.
  2. Go to ‘Submissions’.
  3. Go to ‘Unassigned’ tab.
  4. Click on ‘View’ button of a pending submission.
  5. Click on ‘Production’ tab in the ‘Workflow’ tab.
  6. Click on ‘Assign’ button in the ‘Participants’ block.
  7. See error: ‘Loading’ is not hidden.

What application are you using?
OJS 3.4.0-7

Additional information
Image of error in the assignment popup:

After being unable to find a suitable solution, I have decided to modify the code to avoid the use of user-select in the URL, responsible for triggering the security alert. I share the changes in the code hoping it will be of some help…

NOTE: It is recommended use an IDE to ensure that the namespaces and usage of the files contained in the directory will be updated.

  1. Rename folder /lib/pkp/controllers/grid/users/userSelect, for example to userSearch.
  2. Rename file /lib/pkp/controllers/grid/users/userSearch/UserSelectGridHandler.php , for example to UserSearchGridHandler.php.
  3. Rename file /lib/pkp/controllers/grid/users/userSearch/UserSelectGridCellProvider.php , for example to UserSearchGridCellProvider.php.
  4. Update the reference usage of UserSearchGridCellProvider in file /controllers/grid/users/subscriberSelect/SubscriberSelectGridHandler.php.
  5. In file /lib/pkp/templates/controllers/grid/users/stageParticipant/addParticipantForm.tpl, on line 66, change the component attribute from grid.users.userSelect.UserSelectGridHandler to grid.users.userSearch.UserSearchGridHandler.
  6. Delete the web template cache from the website admin panel.