Symptoms
You try to access a mailman page via a domain-based URL and get a 403 error.
Description
This error can appear when a mod_security rule blocks access to the page. To verify this, search for the mailman URL in the mod_security log file, for example:
grep domain.com /usr/local/apache/logs/modsec_audit.log | grep mailman | grep 403
The above command produces output like this:
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.2.139] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "domain.com"] [uri "/mailman/listinfo/testlist_domain.com"] [unique_id "YE-rgIo6vfow5j6QvCmSJwAB0QM"]
Workaround
Disable the rule referenced in the id section of the mod_security log output, as outlined here: How can I disable a ModSecurity rule?
Comments
0 comments
Article is closed for comments.