mod_security issues with whmcs version 5.2.2

[uname-r]

Hi,

 

I am having many problems setting up mod_security with WHMCS on a Ubuntu server. I was not having any problem with the last branch (whmcs 5.1.x)

 

The same problem seems to happen also on CentOS with the exact same ruleset, from OWASP : http://downloads.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.5.tar.gz

 

Possible for someone who know about mod_security owasp rule set to tell me if i should continue with theses rules, or if there are better ones i should use with whmcs? All of theses are just false positives... I do not want to disable the rules : i want to protect the server with mod_security, so i would like to improve them, or get better rules.

 

...i am wondering if this one (the first rule below) is related to programing issues with whmcs or if this is something i need to improve on the side of the server config. imho, i think this is related to whmcs :

 

[Tue Mar 26 08:55:40 2013] [error] ModSecurity: Warning. Pattern match "(.*?)=(?i)(?!.*secure.*)(.*$)" at RESPONSE_HEADERS:Set-Cookie. [file "/etc/modsecurity/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "99"] [id "981185"] [msg "AppDefect: Missing Secure Cookie Flag for WHMCSWK3SD9jYz3vn."] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag"] [hostname " "] [uri " "] [unique_id "UVFii8BfN1wAAGavEAwAAAAG"]

 

 

I am also getting theses :

 

 

[Tue Mar 26 09:02:34 2013] [error] [ ] ModSecurity: Rule 7f392f069280 [id "950901"][file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-: (null). [hostname " "] [uri " "] [unique_id "UVFkKsBfN1wAAGgtASkAAAAD"]

 

 

 

[Tue Mar 26 17:57:32 2013] [error] [ ] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){4,}" at ARGS:tos. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "-privee"] [hostname " "] [uri " "] [unique_id "UVHhi8BfN1wAABvtaiAAAAAF"]

 

[Tue Mar 26 17:53:45 2013] [error] [ ] ModSecurity: Warning. Pattern match "(/\\\\*!?|\\\\*/|[';]--|--[\\\\s\\\\r\\\\n\\\\v\\\\f]|(?:--[^-]*?-)|([^\\\\-&])#.*?[\\\\s\\\\r\\\\n\\\\v\\\\f]|;?\\\\x00)" at ARGS:message. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2.2.5"] [msg "SQL Comment Sequence Detected."] [data "---"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname " ] [uri " "] [unique_id "UVHgqcBfN1wAACpadloAAAAH"]

 

[Tue Mar 26 17:37:18 2013] [error] [ ] ModSecurity: Warning. Pattern match "(/\\\\*!?|\\\\*/|[';]--|--[\\\\s\\\\r\\\\n\\\\v\\\\f]|(?:--[^-]*?-)|([^\\\\-&])#.*?[\\\\s\\\\r\\\\n\\\\v\\\\f]|;?\\\\x00)" at ARGS:message. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2.2.5"] [msg "SQL Comment Sequence Detected."] [data "7#tab3\\x0d"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname " "] [uri " "] [unique_id "UVHczsBfN1wAACpvgiQAAAAJ"]

 

 

[Tue Mar 26 17:37:18 2013] [error] [ ] ModSecurity: Warning. Pattern match "\\\\W{4,}" at ARGS:message. [file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data ",\\x0d\\x0a\\x0d\\x0a"] [hostname " "] [uri " "] [unique_id "UVHczsBfN1wAACpvgiQAAAAJ"]

 

 

[Tue Mar 26 17:53:46 2013] [error] [ ] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 20, SQLi=3, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname " "] [uri " "] [unique_id "UVHgqcBfN1wAACpadloAAAAH"]

 

[Tue Mar 26 12:24:42 2013] [error] [ ] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=, XSS=): Common SPAM/Email Harvester crawler"] [hostname " "] [uri " "] [unique_id "UVGTisBfN1wAABb9wN8AAAAH"]

 

 

Thank you in advance for your assistance on this

[yabdab]

Same here with 5.2.4 on Linux

 

Any word from WHMCS on how to fix?

[ckh]

If I run across a mod security rule that is affecting a legitimate client, I disable the rule or at least disable the rule for the client. You can just disable the rule for one domain or hosting account so that would be your best bet.

[WHMCS JamesX]

If you find false positives, you can disable individual rules for specific locations (i.e. files).

 

For example:

<LocationMatch "/some/path/to/file.php">
   SecRuleRemoveById 390707
</LocationMatch>

 

That way, you're not deactivating the rule for the entire server or even an entire account; disabling it only for a specific file, while leaving it enabled everywhere else.

[uname-r]

I prefer to only disable on a per path basis. Here is a very good documentation about how to manage the rules : http://www.atomicorp.com/wiki/index.php/Mod_security

 

...but i still think some of those rules should be improved to work better with whmcs...

 

Anyhow, as i mentionned, most of them are now fixed or disabled by id since a long time... ...but i would much prefer to do not exclude some of those i excluded, even if it's only a few paths