Issue with whitelisting Mod_security rule in cPanel

These forums are not for questions about ModSecurity, just the cmc script itself
3 posts Page 1 of 1
gnusmtp5
Junior Member
Posts: 1
Joined: 13 Apr 2016, 05:09


One of our clients reported an issue with loading their domain. On checking we could see a mod security rule (ID: id "1234123413") has been triggered and which caused the issue. We have then whitelisted the rule in the server, but upon checking we could see that the rule was not whitelisted properly and triggered again.

Logs shown in apache error logs are.

-------------------
[error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at
REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "103"] [id "1234123413"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQL_INJECTION"] [hostname "domain"] [uri "/"] [unique_id "WMw3F63B3j4AAG1KQXUAAAAd"]

[error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at
REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "103"] [id "1234123413"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQL_INJECTION"] [hostname "domain"] [uri "/favicon.ico"] [unique_id "WMw3GK3B3j4AAHKuiisAAAAC"]
------------------

Apache version : Apache/2.2.31
PHP Version : 5.4.45
curriertech
Junior Member
Posts: 21
Joined: 07 Aug 2007, 20:29


I'm seeing this behavior recently as well, lots of IPs getting blocked in CSF for rules that are whitelisted in CMC.
curriertech
Junior Member
Posts: 21
Joined: 07 Aug 2007, 20:29


I may have found the issue on my server...sharing in case it helps.

My modsec2.conf includes user.conf, (which includes whitelist.conf) and cpanel.conf. So whitelist.conf was being parsed before cpanel.conf. I've added a line to modsec2.conf to include whitelist.conf after user.conf and cpanel.conf and so far I'm not seeing any blocks caused by whitelisted rules.
3 posts Page 1 of 1