File save forbidden, depending on text file content?

[DrJBN]

I'm very much a php newbie.  I have a game I wrote in Unity where I pack all my data into a text string and send it via a Unity Webrequest to my server where my Savedata.php file appends it to a text file.  Works beautifully.

Today I made some changes to my program, unrelated to any of the save routines.  When testing it, it wasn't saving the data.  The server was returning that it was Forbidden, leading to more than a bit of panic.   In my program the user enters a text string as an identifier that is put in the data string and saved.  I was putting "DELETE ME" as the id so that I could find it in the data file easily and delete it.   It was that Text that was triggering the save problem.   I changed it to "REMOVE ME" and saving worked just fine.

I assume the server is somehow checking the text data string and that there are some words that are illegal that trip an alarm and prevent it from being saved?   If so, are these (or other "no no's" I should be aware of) published/discussed anywhere?
Best,
Byron

[DrJBN]

I have 2 games using the same server, both using the same Unity Webrequest function to send data to my save_data.php file (one in each game directory).
In Game 1 if I put "DELETE" in my text string, I get the 404 Forbidden error.  In Game 2, I do not. 
I swapped Game 2's php to the Game 1 directory (they should have the same content) and the error persists.   

Game 1 won't save if the word "DELETE" or "delete" is in the textstring.  DELETEME works fine, so does DELET.  I imagine this is some kind of fringe case and I'll be fine so long as none of my users use "DELETE" as an ID, but since it doesn't seem logical that the system would work like this whatever is causing the error might cause it on other strings.    Any guesses would be appreciated.

[DrJBN]

Does this Server error help?

[Tue Feb 01 21:36:13.834953 2022] [:error] [pid 31899:tid 139931882379008] [client 95.63.28.231:57246] [client 95.63.28.231] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\\\n|\\\\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+" at MATCHED_VAR. [file "/etc/modsecurity/12_HTTP_Protocol.conf"] [line "137"] [id "217280"] [rev "6"] [msg "WAF: HTTP Request Smuggling Attack||www.learningchicken.com|F|2"] [data "Matched Data: delete found within MATCHED_VAR"] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "www.learningchicken.com"] [uri "/JBN/EvsC_Chicken/save_data.php"] [unique_id "YfmZvVJimwoAAHybrfYAAAAA"]

[requinix]

Congratulations, you have mod_security installed. Are you on shared hosting or do you have a dedicated server you can control?

[DrJBN]

Its shared hosting. I imagine it unlikely that any user will use any of these "get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock" in their username, but I suppose I'll scan it anyway and either remove or replace them if they are used.

[requinix]

Yeah, don't do that.

See if your hosting provider is willing (and able) to turn off mod_security for you: it's a great thing in theory but reports so many false positives that it just ends up being a pain in the ass.

If that's not an option, all you have to do to bypass this particular security measure is to encode the data. For example, with base 64. Submit the data encoded and have your PHP decode it.