nf_able Posted January 13, 2022 Share Posted January 13, 2022 My install has been fine to date, but when creating a new invoice and publishing it, my system triggered a 504. I went to check updates, attempted to download a db backup and another 504. In cPanel I disabled modsecurity - then was able to edit my invoice (which it had created). Turned on WHMCS error reporting. Re-enabled modsec in cPanel and . And now was able to edit an invoice and create/email a new one. Now when turning off error reporting, I get a 403. == Checking WHM Modsec I see: 921130: HTTP Response Splitting Attack Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?:\\bhttp/\\d|<(?:html|meta)\\b)" at ARGS:emailglobalheader. 941100: XSS Attack Detected via libinjection Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: detected XSS using libinjection. 941130: XSS Filter - Category 3: Attribute Vector Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?i)[\\s\\S](?:!ENTITY\\s+(?:\\S+|%\\s+\\S+)\\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\\/html|pattern\\b.*?=|formaction|\\@import|;base64)\\b" at ARGS:emailglobalheader. 941140: XSS Filter - Category 4: Javascript URI Vector Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\\b[^>]*?>[\\s\\S]*?|(?:=|U\\s*?R\\s*?L\\s*?\\()\\s*?[^>]*?\\s*?S\\s*?C\\s*?R\\s*?I\\s*?P\\s*?T\\s*?:)" at ARGS:emailglobalheader. 941250: IE XSS Filters - Attack Detected Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?i:[\\s/+].*?http-equiv[\\s/+]*=[\\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" at ARGS:emailglobalheader. 941260: IE XSS Filters - Attack Detected Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?i:[\\s/+].*?charset[\\s/+]*=)" at ARGS:emailglobalheader. 980130: Inbound Anomaly Score Exceeded (Total Inbound Score: 35 - SQLI=0,XSS=30,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=5,SESS=0): individual paranoia level scores: 35, 0, 0, 0 Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Operator GE matched 5 at TX:inbound_anomaly_score. Any help of suggestions appreciated ... I'm using OWASP 3 rules Much thx, nf 0 Quote Link to comment Share on other sites More sharing options...
string Posted January 13, 2022 Share Posted January 13, 2022 (edited) 4 hours ago, nf_able said: Re-enabled modsec in cPanel and . And now was able to edit an invoice and create/email a new one. Now when turning off error reporting, I get a 403. It is unlikely that the error reporting settings have any effect on whether ModSecurity blocks something or not. error reporting has no effect on the request / response, except that if there is an error in the response, the error is included. 4 hours ago, nf_able said: Any help of suggestions appreciated ... I'm using OWASP 3 rules The problem with the OWASP ruleset is that they are quite restrictive. From my experience, even with widely used applications like WordPress. The solution to your problem is to either customize the rules in question, or disable them for the affected domain or URL. If you disable them, you should check if it is an important rule. If changing the rulesets is an option, I would recommend Atomicorp. The rules are really well maintained and the price is ok. Atomicorp also offers a free version of their rules, but not all rules are included and the free ruleset is not updated that often: https://atomicorp.com/atomic-modsecurity-rules/ Edited January 13, 2022 by string 0 Quote Link to comment Share on other sites More sharing options...
lulzkiller Posted January 15, 2022 Share Posted January 15, 2022 On 1/13/2022 at 6:22 PM, nf_able said: My install has been fine to date, but when creating a new invoice and publishing it, my system triggered a 504. I went to check updates, attempted to download a db backup and another 504. In cPanel I disabled modsecurity - then was able to edit my invoice (which it had created). Turned on WHMCS error reporting. Re-enabled modsec in cPanel and . And now was able to edit an invoice and create/email a new one. Now when turning off error reporting, I get a 403. == Checking WHM Modsec I see: 921130: HTTP Response Splitting Attack Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?:\\bhttp/\\d|<(?:html|meta)\\b)" at ARGS:emailglobalheader. 941100: XSS Attack Detected via libinjection Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: detected XSS using libinjection. 941130: XSS Filter - Category 3: Attribute Vector Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?i)[\\s\\S](?:!ENTITY\\s+(?:\\S+|%\\s+\\S+)\\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\\/html|pattern\\b.*?=|formaction|\\@import|;base64)\\b" at ARGS:emailglobalheader. 941140: XSS Filter - Category 4: Javascript URI Vector Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\\b[^>]*?>[\\s\\S]*?|(?:=|U\\s*?R\\s*?L\\s*?\\()\\s*?[^>]*?\\s*?S\\s*?C\\s*?R\\s*?I\\s*?P\\s*?T\\s*?:)" at ARGS:emailglobalheader. 941250: IE XSS Filters - Attack Detected Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?i:[\\s/+].*?http-equiv[\\s/+]*=[\\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" at ARGS:emailglobalheader. 941260: IE XSS Filters - Attack Detected Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Pattern match "(?i:[\\s/+].*?charset[\\s/+]*=)" at ARGS:emailglobalheader. 980130: Inbound Anomaly Score Exceeded (Total Inbound Score: 35 - SQLI=0,XSS=30,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=5,SESS=0): individual paranoia level scores: 35, 0, 0, 0 Request: POST /billing/master/configgeneral.php?action=save Action Description: Warning. Justification: Operator GE matched 5 at TX:inbound_anomaly_score. Any help of suggestions appreciated ... I'm using OWASP 3 rules Much thx, nf Yes, just check what is being blocked, and change the filter to exclude those things.https://www.interserver.net/tips/kb/disable-modsecurity-rule-for-cpanel-user/?__cf_chl_f_tk=j9yPis6l0TEhoy2P2LetwF5r8IZNFH4c1l5kdaSjJYU-1642252757-0-gaNycGzNB5E 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.