Mod security and Google's Tag Manager - false positives preventing page access
Trying out Google's tag manager this afternoon and found that any pages with the script throw a 406 error. In turn the rest of the site cannot be accessed either (regardless if the tag is present on them or not) because of that. Say I have the script on a test page, test.htm, it will load and work fine the first view. Any refresh of that page or even going to another page (ones without the script on them) will then throw a 406.
I am assuming the problem has to do with the cookie set by Google (since the pages will load again after the browser is closed and reopened). Google tag manager allows you to set analytics, adwords, conversion tracking, remarketing, etc all with one tag rather than separate scripts for each.
It appears that mod security is the culprit. Here is an example entry :
and then from the logs : [Wed Jan 07 22:51:11.747896 2015] [:error] [pid 30577] [client 111.111.111.111] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\">(\\\\w+)[\\\\'\\"> ?= ?[\\\\'\\">\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "94"> [id "959901"> [msg "SQL Injection Attack"> [data "1=1"> [severity "CRITICAL"> [tag "WEB_ATTACK/SQL_INJECTION"> [hostname "www.test.com"> [uri "/error.htm"> [unique_id "VK3@r2B-guIAAHdxu0AAANfsdf ... and this could be related as well. The whole reason I decided to use Google Tag Manager in the first place is Google Adwords kept reporting glcid errors, however, this was from using the normal script and not tag manager :
I would assume this is a common problem since most hosts have mod security enabled... what is the solution here if any? I have never really had any problems, that I know of, with mod security up until this.
2015-01-07 20:06:03 www.?test.?com 111.111.111.111 CRITICAL 406
? 959901: SQL? Injection? Attack
? Hide
GET /?test.htm and then from the logs : [Wed Jan 07 22:51:11.747896 2015] [:error] [pid 30577] [client 111.111.111.111] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\">(\\\\w+)[\\\\'\\"> ?= ?[\\\\'\\">\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"> [line "94"> [id "959901"> [msg "SQL Injection Attack"> [data "1=1"> [severity "CRITICAL"> [tag "WEB_ATTACK/SQL_INJECTION"> [hostname "www.test.com"> [uri "/error.htm"> [unique_id "VK3@r2B-guIAAHdxu0AAANfsdf ... and this could be related as well. The whole reason I decided to use Google Tag Manager in the first place is Google Adwords kept reporting glcid errors, however, this was from using the normal script and not tag manager :
2014-12-31 16:09:09 www.?test.com 222.222.222.222 CRITICAL 501
? 959006: System? Command? Injection
? Hide
GET /???gclid?=?CO2jqKWY8cICFVgWjgod?LZ8AzA I would assume this is a common problem since most hosts have mod security enabled... what is the solution here if any? I have never really had any problems, that I know of, with mod security up until this.
-
I would probably comment out that rule or whitelist that rule ID. It's pretty common to have to whitelist a few rules here and there. 0 -
Hello :) You may find this third-party application helpful for modifying rules on individual accounts: ConfigServer ModSecurity Control Note that new Mod_Security options are available in cPanel version 11.46: Mod_Security Tools Thank you. 0
Please sign in to leave a comment.
Comments
2 comments