Page 1 of 1

Issue with whitelisting Mod_security rule in cPanel

Posted: 17 Mar 2017, 22:15
by gnusmtp5
One of our clients reported an issue with loading their domain. On checking we could see a mod security rule (ID: id "1234123413") has been triggered and which caused the issue. We have then whitelisted the rule in the server, but upon checking we could see that the rule was not whitelisted properly and triggered again.

Logs shown in apache error logs are.

-------------------
[error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at
REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "103"] [id "1234123413"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQL_INJECTION"] [hostname "domain"] [uri "/"] [unique_id "WMw3F63B3j4AAG1KQXUAAAAd"]

[error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at
REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "103"] [id "1234123413"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQL_INJECTION"] [hostname "domain"] [uri "/favicon.ico"] [unique_id "WMw3GK3B3j4AAHKuiisAAAAC"]
------------------

Apache version : Apache/2.2.31
PHP Version : 5.4.45

Re: Issue with whitelisting Mod_security rule in cPanel

Posted: 23 Mar 2017, 16:54
by curriertech
I'm seeing this behavior recently as well, lots of IPs getting blocked in CSF for rules that are whitelisted in CMC.

Re: Issue with whitelisting Mod_security rule in cPanel

Posted: 23 Mar 2017, 17:45
by curriertech
I may have found the issue on my server...sharing in case it helps.

My modsec2.conf includes user.conf, (which includes whitelist.conf) and cpanel.conf. So whitelist.conf was being parsed before cpanel.conf. I've added a line to modsec2.conf to include whitelist.conf after user.conf and cpanel.conf and so far I'm not seeing any blocks caused by whitelisted rules.

Re: Issue with whitelisting Mod_security rule in cPanel

Posted: 04 May 2017, 12:26
by yorodriguez
Same problem here. I whitelisted rules for several users and they are applied anyway.

Re: Issue with whitelisting Mod_security rule in cPanel

Posted: 27 Jul 2017, 16:08
by yorodriguez
Finally I found that my issue is with user defined rules using <locationmatch>. In this post I explain the workaround: viewtopic.php?f=31&t=10108&p=28474#p28474

I hope that ConfigServer see this and fix the issue.