mod-security denying post method due to client's text matching pattern
I have a PHP application where a form has HTML
tag to collect multiline text. One of our client was having trouble posting, and we couldn't recreate the issue until we tried the exact text. After much checking I found the following in modsec_audit.log:
Basically the client tried to input a multiline text where first word was "Delete" in a line. So basically I guess having
in the POST data triggered the pattern match. Now I assume the rule is important for security, as those command keywords in the matching criteria could do harm if unchecked, but at the same time it's not feasible to ask client that hey do not start the line with these and these words, so how to handle the situation? the question is also posted here:
textareatag to collect multiline text. One of our client was having trouble posting, and we couldn't recreate the issue until we tried the exact text. After much checking I found the following in modsec_audit.log:
ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\\\\\\\n|\\\\\\\\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\\\\\s+" at MATCHED_VAR. [file "/var/cpanel/cwaf/rules/12_HTTP_Protocol.conf"> [line "137">
Basically the client tried to input a multiline text where first word was "Delete" in a line. So basically I guess having
\r\nDeletein the POST data triggered the pattern match. Now I assume the rule is important for security, as those command keywords in the matching criteria could do harm if unchecked, but at the same time it's not feasible to ask client that hey do not start the line with these and these words, so how to handle the situation? the question is also posted here:
-
Hello! For situations such as this, you could either whitelist your client's IP within ModSecurity or whitelist the rule that they are triggering: How to whitelist mod_security rule / rule set globally 0 -
Thank you for your kind response! It's interesting to learn about the IP whitelist feature, so, thanks! but I'm afraid it won't be possible to fixate on a specific client or a specific IP, for that matter. I was following the mod security rule link to get a better understanding, but when I logged in to WHM and went to the rule page, it's empty and saying you have no rules (screenshot attached). Even searching by a rule ID from the hit list also not producing any result, am I missing something here? thanks! 0 -
Sorry I just found that clicking on a rule in the hit list page is producing error (screenshot attached). Maybe it's related to the list being empty? thanks! 0 -
That's definitely interesting. Since the tool is flagging content based on rules, I'm guessing there is some type of ruleset installed. Can you confirm that is in place in WHM >> ModSecurity Vendors? 0 -
That's definitely interesting. Since the tool is flagging content based on rules, I'm guessing there is some type of ruleset installed. Can you confirm that is in place in WHM >> ModSecurity Vendors?
yes, thank you for pointing me the way. i found one in that page (please see attachment), but it's also saying that the vendor is not installed! now i'm not too familiar with the overall procedure, but wondering how it's working if not installed or something! TIA!0 -
This gets more interesting as we go! It might be worth submitting a ticket to our team so we can see what is happening directly on the system. 0 -
This gets more interesting as we go! It might be worth submitting a ticket to our team so we can see what is happening directly on the system.
understood, i'll submit a technical support request (guess that's the one you're talking about, never submitted a ticket here before). thanks for your guidance!0 -
Once you have it, let me know the ticket number so I can follow along! 0
Please sign in to leave a comment.
Comments
8 comments