Redirect when quote character: " is present in URL

pwells

• September 02, 2016 01:52

I have set two new servers within the last week, running CloudLinux and WHM. One of these servers is experiencing a strange issue when a quote character is present in the URL. The issue is that the URL appears to be redirecting to the root domain whenever a quote character (either urlencoded to: %22 or standard as: ") is present in the URL. This applies for all websites on the server but not the WHM or cPanel interface. Strangely this does not occur on the other server that I set up at the same time, with the exact same settings (it's even in the same configuration cluster). As a test, please visit the following URL: dev.example.net.au/test.html Now try with the following URL parameter: dev.example.net.au/test.html?test=%22 For reference, our other server handles this fine: dev.domain.net.au/test.html?test=%22 Anybody have any ideas what setting may be causing this behaviour? Thanks in advance.

• 

  cPanelMichael

  • September 02, 2016 19:39

  Hello, I'm unable to reproduce this issue when browsing to the following URL (with and without encoding) in a web browser:
  "http://www.example.tld/%22testing%22.php"
  Do you have additional rewrite rules active in the .htaccess file? Thank you.

  0
• 

  pwells

  • September 04, 2016 22:32

  It appears that the forum has replaced my URLs with example.net.au making it very difficult to demo this issue. Please advise how I can send a real URL through the forum without it being stripped out. It is not likely a .htaccess issue as it affects every site and account on the server - not just one account.

  0
• 

  pwells

  • September 04, 2016 22:45

  I have also discovered that this issue occurs with other URL encoded characters. For example, a WordPress website on the server which calls the below URL with ajax, 302 redirects to

  0
• 

  Infopro

  • September 04, 2016 23:57

  Please advise how I can send a real URL through the forum without it being stripped out.

  
  The actual URL should not be required.

  0
• 

  cPanelMichael

  • September 06, 2016 22:29

  Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you.

  0
• 

  pwells

  • September 06, 2016 23:54

  We were able to resolve this issue yesterday afternoon. The ModSecurity system was causing this redirect; specifically the 'Application Attack SQLi' rule set in the OWASP core library. This was triggering the following error message in the Apache error logs:
  [Tue Sep 06 16:20:31.013126 2016] [:error] [pid 329447] [client ***.***.***.***] ModSecurity: Access denied with redirection to http://dev.example.net.au/ using status 302 (phase 2). Pattern match "(?i:(?:[\\"'`]\\\\s*?(x?or|div|like|between|and)\\\\s*?[\\"'`]?\\\\d)|(?:\\\\\\\\x(?:23|27|3d))|(?:^.?[\\"'`]$)|(?:(?:^[\\"'`\\\\\\\\]*?(?:[\\\\d\\"'`]+|[^\\"'`]+[\\"'`]))+\\\\s*?(?:n?and|x?x?or|div|like|between|and|not|\\\\|\\\\||\\\\&\\\\&)\\\\s*?[\\\\w\\"'`][+&!@(),.-])|(?:[^\\\\w\\\\s]\\\\w+ ..." at ARGS:test. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"> [line "108"> [id "981242"> [rev "2"> [msg "Detects classic SQL injection probings 1/2"> [data "Matched Data: \\x22 found within ARGS:test: \\x22"> [severity "CRITICAL"> [ver "OWASP_CRS/3.0.0"> [maturity "9"> [accuracy "8"> [tag "Host: dev.example.net.au"> [tag "application-multi"> [tag "language-mutli"> [tag "platform-multi"> [tag "attack-sqli"> [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"> [hostname "dev.example.net.au"> [uri "/test.html"> [unique_id "V85gL9fy4L1UJMBVzAFsVgAAACA">
  

  0
• 

  cPanelMichael

  • September 07, 2016 14:32

  I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.

  0

Please sign in to leave a comment.