The Cause

One cause of this error is the mod_security Apache module used by TextDrive (our website host). If the module finds a string in your post that it doesn't like (such as those frequently used in attacks), it will cause Apache to emit this error.

The Fix

Try to guess what the offending string is and remove it from your post. There is no easy way to have it display what the offending string was. These do appear in the error log, but the logs are only available using shell access to the server.

We believe (having never seen it) that most of the offensive strings are Unix commands. Avoid spelling out the full path of a command.

How I Came Across This

After spending much time debugging the cause of the problems IE was suddenly having with the PushButton theme, I decided to record what I had found in my blog. The debugging had led me down many paths, and as part of the process, I had upgraded our copy of Drupal to the latest version (no point in asking for help on an old version and there had been a flurry of security upgrades).

So I typed in a (lengthy) blog entry, clicked submit, and got "Precondition Failed" in big text across my screen. Aaaugh! Now what? What could be causing this?

A quick search of the error text and "Drupal" found a note by someone who had the same problem. Disabling the file attachment module fixed it for him. Not for me. Next...

Another quick search found that the error is generated by Apache. Ah ha! I had messed with .htaccess, perhaps that is the culprit. Alas, undoing those changes resulted in no joy.

I came home and tried a quick test using Firefox. It worked! So I pasted in my lengthy blog entry. Busted! Dang! Apparenly this problem is size sensitive? It was very perplexing!

Had I broken the site while debugging the previous problem and applying security patches?

I then began the tedious process of going through the changes I had made during the upgrade to see if any of them could affect the server. Nothing apparent showed up. So I rolled the site back using the backup I had made earlier.

It still failed. Aaargh!

The next morning I explored how to access our web logs on Textdrive's system. "access_log" was already being placed in our account, but not "error_log". When "error_log" appeared, I saw in it a line saying that mod_security matched the pattern "wget\20x" (the word "wget" followed by a space). I had mentioned "wget" in my post describing how I was debugging the problem I encountered with IE. Apparently inserting that text into some pages can cause it to execute the command.

So there you have it. Talking about UNIX commands can sometimes be enough to have your post filtered by the security filters. Great "feature" for a Linux Users Group! If this happens to you, try to re-phrase your post, add punctuation, etc. Hope it doesn't get
in the way too much.