Issue with whitelisting Mod_security rule in cPanel

These forums are not for questions about ModSecurity, just the cmc script itself
Post Reply
gnusmtp5
Junior Member
Posts: 2
Joined: 13 Apr 2016, 05:09

Issue with whitelisting Mod_security rule in cPanel

Post by gnusmtp5 »

One of our clients reported an issue with loading their domain. On checking we could see a mod security rule (ID: id "1234123413") has been triggered and which caused the issue. We have then whitelisted the rule in the server, but upon checking we could see that the rule was not whitelisted properly and triggered again.

Logs shown in apache error logs are.

-------------------
[error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at
REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "103"] [id "1234123413"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQL_INJECTION"] [hostname "domain"] [uri "/"] [unique_id "WMw3F63B3j4AAG1KQXUAAAAd"]

[error] [client IP] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at
REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "103"] [id "1234123413"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"]
[tag "WEB_ATTACK/SQL_INJECTION"] [hostname "domain"] [uri "/favicon.ico"] [unique_id "WMw3GK3B3j4AAHKuiisAAAAC"]
------------------

Apache version : Apache/2.2.31
PHP Version : 5.4.45
curriertech
Junior Member
Posts: 21
Joined: 07 Aug 2007, 20:29

Re: Issue with whitelisting Mod_security rule in cPanel

Post by curriertech »

I'm seeing this behavior recently as well, lots of IPs getting blocked in CSF for rules that are whitelisted in CMC.
curriertech
Junior Member
Posts: 21
Joined: 07 Aug 2007, 20:29

Re: Issue with whitelisting Mod_security rule in cPanel

Post by curriertech »

I may have found the issue on my server...sharing in case it helps.

My modsec2.conf includes user.conf, (which includes whitelist.conf) and cpanel.conf. So whitelist.conf was being parsed before cpanel.conf. I've added a line to modsec2.conf to include whitelist.conf after user.conf and cpanel.conf and so far I'm not seeing any blocks caused by whitelisted rules.
yorodriguez
Junior Member
Posts: 18
Joined: 04 Jan 2017, 09:29

Re: Issue with whitelisting Mod_security rule in cPanel

Post by yorodriguez »

Same problem here. I whitelisted rules for several users and they are applied anyway.
yorodriguez
Junior Member
Posts: 18
Joined: 04 Jan 2017, 09:29

Re: Issue with whitelisting Mod_security rule in cPanel

Post by yorodriguez »

Finally I found that my issue is with user defined rules using <locationmatch>. In this post I explain the workaround: viewtopic.php?f=31&t=10108&p=28474#p28474

I hope that ConfigServer see this and fix the issue.
Post Reply