Apache/PHP/HTML - Textarea, submitting form that includes a line break (enter key) produces 403?

Question

I have a strange problem and it might relate more to my Apache configuration than anything else but i am not sure so I am asking it here.

I have a contact form, within this contact form is a textarea.

If i fill out the contact form and in the test area, i enter one line of text, e.g.

Test

The form completes and i am notified via email. However, if inside of the textarea i do the following:

Test

Test

I get the following:

403 - Forbidden

Forbidden
You don't have permission to access /contact_us.php on this server.

To debug I add to the form controller a marker in order to stop the script just after the form is submitted, so i have the following:

# IF SEND QUERY BUTTON IS CLICKED
if (isset($_POST['sendQuery']) && $_POST['sendQuery'] == 'Send Query')
{
    echo 'HALT HERE';
    exit;
    ...
}

When i submit the form with:

Test

I get HALT HERE, however when i submit with:

Test

Test

The marker is not triggered and i get the 403. This is why i assume that maybe this could be something to do with Apache rather than just how i have done things in PHP / HTML.

Does anyone have any ideas what might cause something like this to happen? Thanks in advance!

EDIT:

The server is Apache 2 with mod_security (+ oWasp definitions) and mod_evasive.

The following is in php.ini

disable_functions = php_uname, getmyuid, getmypid, passthru, fpassthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, escapeshellarg, escapeshellcmd, shell_exec, curl_exec, curl_multi_exec, exec, dl, set_time_limit, system, highlight_file, source, show_source, fsocketopen, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, parse_ini_file. ini_alter, popen, phpinfo

In the vhost configuration I have set:

<LimitExcept GET POST>
     deny from all
</LimitExcept>

Form HTML is:

<form class="remove-bottom" action="" method="post">
...    
<textarea 
    name="userQuery" id="userQuery" 
    cols="40" rows="10" 
    value="" 
    maxlength="2000" 
    class="quarter-bottom" 
></textarea>
...
</form>

I get this in the apache error log:

[Thu Mar 13 08:06:54 2014] [error] [client my.ip.my.ip] ModSecurity: Rule 7fd0751d6280 [id "950901"][file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.test.com"] [uri "/index.php"] [unique_id "UyFK-mAcYdcAACwKBI8AAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Rule 7fd0751d6280 [id "950901"][file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Rule 7fd075bb3940 [id "-"][file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_55_application_defects.conf"][line "27"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Warning. Match of "rx (?i:(<meta.*?(content|value)=\\"text/html;\\\\s?charset=|<\\\\?xml.*?encoding=))" against "RESPONSE_BODY" required. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "23"] [id "981220"] [msg "[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "APP_DEFECT/MISCONFIGURATION"] [tag "http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms"] [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Rule 7fd074f08b10 [id "-"][file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_55_application_defects.conf"][line "41"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]
[Thu Mar 13 08:06:59 2014] [error] [client my.ip.my.ip] ModSecurity: Warning. Match of "rx (<meta.*?(content|value)=\\"text/html;\\\\s?charset=utf-8|<\\\\?xml.*?encoding=\\"utf-8\\")" against "RESPONSE_BODY" required. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "36"] [id "981222"] [msg "[Watcher Check]  The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8"] [hostname "www.test.com"] [uri "/contact_us.php"] [unique_id "UyFLA2AcYdcAACwKBJAAAAAE"]

other_vhosts_access.log shows:

test.com:80 my.ip.my.ip - - [13/Mar/2014:08:38:47 +0200] "POST /contact_us.php HTTP/1.1" 403 463 "http://www.test.com/contact_us.php" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0"

Answer 1

We're encountering the same issue. We resolved it by removing that rule from the ModSecurity config.