FYI it appears to be related to the specific content in my post. I typed up a very short reply and posted it without a problem.
Are there words or symbols that bbP is treating as security risks? I’ve seen this before in WP and it’s enough to drive one to drink.
This isn’t even a code-oriented post. I at least understand it blocking posts that contain SQL queries and whatnot, but this doesn’t have any of that…
Jonathan
I had hoped that beta2 would fix this but, it doesn’t. I still can’t post this specific reply, and other members are having the same problem and getting understandably frustrated.
Help?
Jonathan
Just a guess, but this may be related to the 403 error that I reported earlier.
I had the same problem, only I receive a 403 error page on my server vs. just returning me to the post.
It was only happening with very specific content, that for some reason mod_security was triggering the 403.
If you have access to the server error logs, it may be worth looking through those to see if you can find out if it is indeed mod_security kicking in.
*If you don’t have access to the server logs, (if your on a shared host then you don’t), then I would suggest trying to do the same thing over and over again, only cutting out a few words/phrases at a time, to see what word/phrase may be triggering it to not show up.
**suggestion:
try to create a post with the same exact information in the post as you are doing in the forum post and see if it works. If not, then it’s 99% mod_security related
@Johnathan – Can you use a tool like Firebug or Inspector, and look at the hidden input fields in your reply form?
Should look like the following
<input type="hidden" name="bbp_reply_title" id="bbp_reply_title" value="Reply To: Updated to bbPress 2.0 pre-beta 2" />
<input type="hidden" name="bbp_forum_id" id="bbp_forum_id" value="138" />
<input type="hidden" name="bbp_topic_id" id="bbp_topic_id" value="439" />
<input type="hidden" name="action" id="bbp_post_action" value="bbp-new-reply" />
<input type="hidden" id="_wpnonce" name="_wpnonce" value="0b78bb87eb" />
<input type="hidden" name="_wp_http_referer" value="/discussion/topic/updated-to-bbpress-2-0-pre-beta-2/" />
Also, some details about your configuration would be great. WordPress version, Multisite/single-site, custom theme/theme compatibility, etc…
@anointed – I believe it was your post that actually turned me onto the mod_security thing in the first place. I had my host whitelist the problematic rule for me so that I could post what I needed to in WP, and that solved that issue completely. But this time it’s in bbP… would there be a different rule needing whitelisting this time?
@jjj – here are the hidden fields from my form:
<input id=”bbp_reply_title” type=”hidden” value=”Reply To: Where to start with LPGEN working on that first $1″ name=”bbp_reply_title”>
<input id=”bbp_forum_id” type=”hidden” value=”143″ name=”bbp_forum_id”>
<input id=”bbp_topic_id” type=”hidden” value=”9041″ name=”bbp_topic_id”>
<input id=”bbp_post_action” type=”hidden” value=”bbp-new-reply” name=”action”>
<input id=”_bbp_unfiltered_html_reply” type=”hidden” value=”e72f207254″ name=”_bbp_unfiltered_html_reply”>
<input id=”_wpnonce” type=”hidden” value=”f3ac8f8387″ name=”_wpnonce”>
<input type=”hidden” value=”/topic/where-to-start-with-lpgen-working-on-that-first-1/” name=”_wp_http_referer”>
For a moment I thought it might be related to having a $ in the topic title, but I’ve had no problem making other replies to this thread (nor has anyone else), it’s just this ONE reply I can’t post.
I’m running WP 3.1.3, single-site, custom/modified commercial theme.
Thanks!
Jonathan
Hidden fields look fine to me.
What happens if you choose to include the forum base slug in your permalinks? Are you able to post then?
Is it possible that the content you’re attempting to post is the *exact* same as the content of another post in that same topic? I noticed in your video that the template notices that are normally in the reply area have been removed in your custom theme. That means if the duplicate post is being caught, you’re not getting any feedback notices.
Definitely no chance at all that the content is identical. It’s like a 2 or 3 page post. 
I turned on the slug and – IT POSTED!
So you’re right on with that… problem is I really seriously don’t want those slugs being shown. So is this just a bug that can be fixed perhaps?
Thanks!
Jonathan
Any chance you’d let me take a peek around your installation? I can’t duplicate this, so I’m curious to see what’s causing it.
Just to ease my mind, can you try deleting the bbPress plugin completely, and re-uploading a fresh download too?
Sure thing, happy to let you peek around. I can even give you admin access to a hidden forum for testing purposes, along with some specific content that refuses to post.
Let me try a fresh copy too… I’d kinda rather wait till late late at night since that’s when there’s the least chance of anyone being active on the site.
I’ll PM you more info. Thanks!
Jonathan
@tooltrainer
If you have it available, could you post the whitelist provided by the host? I can dig through it and see if it is limited to posts somehow, though I doubt that is possible as it’s just a db entry, but it might provide some insight.
Like I said, I am NO mod-sec expert, but am willing to try and help. Messing with mod-sec is always scary, as doing it wrong can kind of bork the system.
Yeah, I’m thinking it’s not mod-sec anyway since adding the bbP slugs to the permalinks, meant I could post without any issue. So it’s definitely not a server-wide content filter of some kind.
I’m actually not even certain where they put the whitelist… I think it was in the firewall or something, somewhere I don’t have easy access to (and I’m dangerous at the command line LOL)
Jonathan
glad to hear you got it solved
Well, sadly not solved… it works if I enable the various slugs in permalinks, but I definitely don’t want to do that so, I still need this to get looked at as something is wrong. JJJ offered to have a look at my install but I can’t seem to find any way to send him private information, I see no email info here and buddyPress doesn’t appear to have any Private Messaging function so…
JJJ, how can I send you private info on my site?
Thanks!
Jonathan
I have to amend what I said earlier. I just had another post that wouldn’t go through, so I turned on the slugs and tried to post it – no dice this time. Can’t post it with or without the slugs.
So… anyone have any ideas? Could it be mod-sec after all??
Jonathan
suggestion:
Try posting the exact same ‘information’ into a post instead of the forums, and see if it works. If it does not then odds are it is mod security. At that point you would have to talk with your host sysadmin about relaxing the rules.
I would also suggest creating a new forum topic on your site, and start by copying just the first line into the reply box and see if it works. Keep adding content to new replies until you find the ‘offending’ line. Then you will know what combination of words that is being rejected.
*Above step is not necessary if you can get your host to check the logs. It’s kind of a tacky way to solve the issue, but it may be all you can do on your own without a sysadmin
Yeah I can paste the content into a post without any issue.
I’ll go through line by line until I find the offender(s), but if this is going to be a continued problem, I’m going to have to abandon bbP. If this is a bug I’m surprised nobody else is seeing it. 
Jonathan
OK – this is bloody insane.
I cannot post the following line:
to create every single piece from scratch.
But I CAN post the following line:
to create every single piece from .
I can also post the following line:
every single piece from scratch.
and I can also post:
scratch.
But again, I can’t post:
to create every single piece from scratch.
Somebody figure THAT one out.
Jonathan
@tooltrainer
Keep in mind that this is only beta2, and there are very few people using this plugin so far. It is NOT intended for a live site as noted many times.
*one last set of tests if you don’t mind:
1. Try to create a new topic with the exact same string you are trying and see if that works.
2. Try to create a new reply with the exact same string you are trying and see if that works.
That will tell me if it is the replies or topics part of the code to look into.
Finally, understand you have tried this same string a number of times, so it could be a hidden duplicate in the db. I would check your db tables to see if any of these attempts managed to save in a cell behind the scenes.
JJ has been working on this plugin non-stop, check the change-log, and you will see he never sleeps LOL
I still think it may have something to do with mod-rewrite. I am 100% that is what happened to me, although it could be different for you.
What you really need is some server logs in order to really help track this down. If you have a half decent host, then it should only take them 2 mins to track down any errors.
*It is a good idea to ask your host how to access your own error logs for server, security, and php
sorry, posted before I saw your reply.
I am now almost certain this has to do with mod-security. You really need to call and get a copy of your error logs.
Really? Very interesting. I figured if anything that this showed it was NOT mod-sec, since there was no single problematic word, only when the words were used together in a complete string, was there a problem.
I also figured that since I can post the same content into a WP post without any issue, that it wouldn’t be mod-sec.
Anyway I’ll go look at the logs, I have root so should be able to find them myself. I try to avoid poking around outside of the webroots if I can help it but, sometimes ya gotta.
Will let you know if I uncover anything. Thanks for all your tips!
(and yeah I know I really *shouldn’t* be using bbP in a live site but it was the only forum option I could find that would integrate how I wanted and my site had to launch so… I’m rolling the dice!)
Jonathan
Yup, it is mod-security, same on my end:
[Sat May 28 18:03:04 2011] [error] [client ip] mod_security: Access denied with code 403. Pattern match ":space:+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe):space:+[A-Z|a-z|0-9|\\*| |\\,]+:space:+(from|into|table|database|index|view):space:+[A-Z|a-z|0-9|\\*| |\\,]" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "mysite.com"] [uri "/topic/need-healing/page/3/"] [unique_id "TeFxGEUuJUQAAGLkflw"]
You are probably going to have to have your host think about relaxing the rules.
Only thing I don’t understand is why it works on posts but not topics/replies. I will read through how the topic/reply is being saved to the db and see if I can track it down. If not, I’ll ask JJ later.
(he’s finally asleep after pulling yet another all nighter)
It is not the individual words but the combination spaces and keywords that are usually used to ‘inject malicious code’ into a db.
select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe
*each host uses diff keywords, so your rules may vary
I’d wait until you hear from JJ, just in case the info is saved to the db differently before you mod anything in mod-security
Yep I just found the same:
ModSecurity: Access denied with code 500 (phase 2). Pattern match “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe):space:+[A-Z|a-z|$
I’m guessing it’s my use of the word “create” in my example string.
Given how much my forum discusses code, I think I’m going to have no long term option but to relax ModSec. I’ve already asked the host to look into it so hopefully they come up with something.
Thanks for all your pointers as usual!
Jonathan
Just because I find it interesting, here is the shortest string I could come up with that would trigger ModSec:
create piece from scratch
Odd combination of words to trigger…
Jonathan
before you relax the rules, wait until we hear from JJ. There is a possibility that the info is being saved to the db in a slightly different way than standard posts.
I’ve been reading through the code, but do not have a strong enough understanding of wp to know for sure.
No reason to relax unless needed, more security is always best
