403 on form submit, 200/302 with cURL/wget

I have a form with many inputs. Some named "date", "type" etc.

The form action points to http://www.xxx.com/admin/links/create, via POST.

When I try to submit it (having required fields populated correctly), I get a 403 response.

In the following cases, I get either 302 or 200 response codes (depending on log-in cookie):

• plain http://www.xxx.com/admin/links/create URL in address bar (I know that's GET);
• using websniffer (GET & POST)
• curl/wget from local

I checked the permissions, the .htaccess (I only have FTP access to web-root) and various other places and everything looks fine.

I hope it's not naming collision of the inputs (actually, I do hope so, because that'll be easy to fix).

All the above happen in production, which is Linux (Apache/2.0.51 on Fedora). Everything works fine on local, which is Wi开发者_C百科ndows. Don't tell me it's permissions...

Does somebody know what could be the cause for this - in my own perception - strange behavior?

Culprit: Apache's mod_security.

I didn't have that module installed in my Windows machine (that's why it worked locally), but the server had it installed.

Here's what I did:

• I checked the access logs. Found this:

  [...] mod_security: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type") [...] [uri "/admin/links/create"] [...]

• As I don't know how to handle mod_security (yet!), I removed it altogether, and it worked. In your .htaccess:

<IfModule mod_security.c>
  SecFilterInheritance Off
</IfModule>

Of course, you can pin-point your Apache targets only to apply that rule to certain files/folders using directives.

Some links that might help:
http://community.mybb.com/showthread.php?tid=7592
http://wordpress.org/support/topic/upgrade-to-22-dashboard-not-working
http://energy-4-3.com/uncategorized/mod_security-access-denied-with-code-403-pattern-match-http/
http://www.modsecurity.org/ (homepage)