Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+1 vote
998 views
in Q2A Core by
edited by
Hello,

I'm getting this error `Unexpected response from server - please try again or switch off Javascript.` when answering a question, after I clicked "Add answer". The actual response from the server is `HTTP 418 I'm a teapot'.

It's a clean installation of Q2A. I've only added the Markdown editor and a custom theme (derived from "Classic", I've only changed some CSS). It's hosted on a shared hosting.

Question2Answer version: 1.8.6
Build date: 2021-04-20
Q2A database version: 67
Database size: 1.5 MB
PHP version: 7.4.15
MySQL version: 5.7.28-log

This is what is shown in the error log:

```

[Sun Jun 13 22:16:51.540416 2021] [:error] [pid 29994:tid 140051224971008] [client ...] [client ...] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:qa_root. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:qa_root: ../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "wotas.net"] [uri "/"] [unique_id "..."], referer: https://wotas.net/2/can-someone-help-finding-good-resource-for-migrating-address-book-for-use-with-mutt

[Sun Jun 13 22:16:51.540835 2021] [:error] [pid 29994:tid 140051224971008] [client ...] [client ...] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:qa_root. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:qa_root: ../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "wotas.net"] [uri "/"] [unique_id "..."], referer: https://wotas.net/2/can-someone-help-finding-good-resource-for-migrating-address-book-for-use-with-mutt

[Sun Jun 13 22:16:51.624707 2021] [:error] [pid 29994:tid 140051224971008] [client ...] [client ...] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "150"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "wotas.net"] [uri "/"] [unique_id "..."], referer: https://wotas.net/2/can-someone-help-finding-good-resource-for-migrating-address-book-for-use-with-mutt

```

I'm not sure what is happening... how can I fix this?

I was able to answer the question after disabling javascript, so I think this is a problem with the ajax request. In particular it appears to be an issue with the `qa_root: ../` parameter.

1 Answer

+2 votes
by
selected by
 
Best answer

You or your hosting provider enabled ModSecurity, a web application firewall (WAF). Apparently Q2A is using some relative paths (something like https://example.org/foo/../bar), which ModSecurity doesn't like, because they look like Path Traversal attacks. Hence the error.

AFAICS you can either configure ModSecurity to allow these paths, or disable ModSecurity entirely. WAFs in general tend to require a lot of fine-tuning, therefore I do not recommend using them unless you specifically know what you need them for and are prepared to put in the additional time and effort (which might be better spent on the configuration of the actual webserver).

If you choose to stick with ModSecurity, this tutorial might be helpful.

...