Problem with mod_security default

Hi, I'm seeing some issues with the default (as far as i know) install of cPanel and Mode_Security. The problem happens when i edit a wordpress page from the admin panel, and click update. If i disable the "OWASP ModSecurity Core Rule Set ", the problem is gone. I know i can disable the rule, but I'm trying to find out why it "kicks" to a simple post in Wordpress (latest version of all software/modules).


[Tue Jun 02 10:52:20.949362 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"> [uri "/wp-admin/post.php"> [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA">
[Tue Jun 02 10:52:20.949439 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"> [uri "/wp-admin/post.php"> [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA">
[Tue Jun 02 10:52:20.949503 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Rule processing failed. [hostname "xxxxxxx.com"> [uri "/wp-admin/post.php"> [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA">
[Tue Jun 02 10:52:20.964208 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Access denied with redirection to http://xxxxxxx.com/ using status 302 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\s+like|not\\\\s+regexp)([\\\\s'\\"`\\\\(\\\\)]*?)(?!\\\\2)([\\\\d\\\\w]+)))" at ARGS:content. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"> [line "53"> [id "950901"> [rev "2"> [msg "SQL Injection Attack: SQL Tautology Detected."> [data "Matched Data: blockquote>Hvordan found within ARGS:content: Skriv til oss om du har sp\\xc3\\xb8rsm\\xc3\\xa5l og \\xc3\\xb8nsker mer informasjon. Du er alltid velkommen til \\xc3\\xa5 ringe i v\\xc3\\xa5re \\xc3\\xa5pningstider.\\x0d\\x0aHvordan kan vi hjelpe deg?\\x0d\\x0a[contact-form-7 id=\\x2281\\x22 title=\\x22Kontaktformul\\xc3\\xa4r\\x22]"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "8"> [tag "Host: xxxxxxx.com"> [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION [hostname "xxxxxxx.com"> [uri "/wp-admin/post.php"> [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA">
[Tue Jun 02 10:52:20.964435 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxxxxxx.com"> [uri "/wp-admin/post.php"> [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA">
[Tue Jun 02 10:52:20.979105 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"> [uri "/"> [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA">
[Tue Jun 02 10:52:20.979160 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"> [uri "/"> [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA">
[Tue Jun 02 10:52:20.979198 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Rule processing failed. [hostname "xxxxxxx.com"> [uri "/"> [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA">
[Tue Jun 02 10:52:21.367953 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxxxxxx.com"> [uri "/index.php"> [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA">


Request:    POST /wp-admin/post.php
Action Description:    Access denied with redirection to http://vtkl.no/ using status 302 (phase 2).
Justification:    Pattern match "(?i:([\\s'\"`\\(\\)]*?)([\\d\\w]++)([\\s'\"`\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\\(\\)]*?)\\2|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\\(\\)]*?)(?!\\2)([\\d\\w]+)))" at ARGS:content.

Problem with mod_security default

Comments

Didn't find what you were looking for?