Hi,
I recently installed CXS installed on my server.
I now have some unusual issues that I am trying to figure out if it is tied to CXS and if so, how I can make things work again.
On one of the websites I have a post form that I will be inputting into a textarea field XML data for processing. For some reason when I copy and paste the xml data straight into the form and submit, this is no longer working. It's redirecting the form page to the home page.
I was pulling my hair out trying to figure out why this is all of a sudden happening but then I got an email informing me that my ip was being blocked for malicious activity.
[Mon Oct 12 12:24:11.746725 2015] [:error] [pid 7067] [client xxx.xxx.xxx.93] ModSecurity: Access denied with redirection to http://examplesite.com/ using status 302 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\s+like|not\\\\s+regexp)([\\\\s'\\"`\\\\(\\\\)]*?)(?!\\\\2)([\\\\d\\\\w]+)))" at ARGS:xmlData. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"] [line "53"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: lname>Demo found within ARGS:xmlData: <xmlHTML></xmlHTML> [hostname "examplesite.com"] [uri "/home"] [unique_id "VhwI2woAAAwAABub7roAAAAI"]
I also been getting reports of another account on my server not being able to submit a form and redirecting to the home page as well.
How does this detect this as malicious and how can I set it so these type of situation go through.
I do want to keep the site secure but I need this form to go through as well.
Any help would be great!
Form Submission
Form Submission
Last edited by ZeroNine on 12 Oct 2015, 23:40, edited 1 time in total.
Re: Form Submission
Ok I just read Dealing with false=positives in cxs
I created the cxs.ignore file.
Should I add the php file that is processing the form as an ignore script?
Do I need to add the absolute path to the php script?
Do I have to do that with each of the php files that are on the site?
If I add a user or directory in the ignore, wouldn't that make CXS kinda pointless to use?
What would be the best implementation to allow the script without making the entire site insecure?
I created the cxs.ignore file.
Should I add the php file that is processing the form as an ignore script?
Do I need to add the absolute path to the php script?
Do I have to do that with each of the php files that are on the site?
If I add a user or directory in the ignore, wouldn't that make CXS kinda pointless to use?
What would be the best implementation to allow the script without making the entire site insecure?
Re: Form Submission
This is getting even more strange now.
I stopped cxs watch so now it shows "cxs Watch Daemon - cxs Watch is not running".
and the site is still redirecting to home page.
Is there anything else I can do to test to see if CXS is the cause and if I can test be disabling it quickly to figure out the issue?
I stopped cxs watch so now it shows "cxs Watch Daemon - cxs Watch is not running".
and the site is still redirecting to home page.
Is there anything else I can do to test to see if CXS is the cause and if I can test be disabling it quickly to figure out the issue?
Re: Form Submission
Ok I figured out the issue. It had to do with Mod Security and the rules set.
-
johnparker92
- Junior Member
- Posts: 1
- Joined: 17 Aug 2015, 08:35
Re: Form Submission
I am also facing same problem, please give me solution.