Jump to content
nf_able

403 / 504 errors - Modsecurity being triggered

Recommended Posts

My install has been fine to date, but when creating a new invoice and publishing it, my system triggered a 504.  I went to check updates, attempted to download a db backup and another 504.  

In cPanel I disabled modsecurity - then was able to edit my invoice (which it had created).  Turned on WHMCS error reporting.

Re-enabled modsec in cPanel and .  And now was able to edit an invoice and create/email a new one.

Now when turning off error reporting, I get a 403.

==

Checking WHM Modsec I see:

921130: HTTP Response Splitting Attack
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?:\\bhttp/\\d|<(?:html|meta)\\b)" at ARGS:emailglobalheader.


941100: XSS Attack Detected via libinjection
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	detected XSS using libinjection.


941130: XSS Filter - Category 3: Attribute Vector
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?i)[\\s\\S](?:!ENTITY\\s+(?:\\S+|%\\s+\\S+)\\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\\/html|pattern\\b.*?=|formaction|\\@import|;base64)\\b" at ARGS:emailglobalheader.


941140: XSS Filter - Category 4: Javascript URI Vector
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\\b[^>]*?>[\\s\\S]*?|(?:=|U\\s*?R\\s*?L\\s*?\\()\\s*?[^>]*?\\s*?S\\s*?C\\s*?R\\s*?I\\s*?P\\s*?T\\s*?:)" at ARGS:emailglobalheader.


941250: IE XSS Filters - Attack Detected
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?i:[\\s/+].*?http-equiv[\\s/+]*=[\\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" at ARGS:emailglobalheader.


941260: IE XSS Filters - Attack Detected
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?i:[\\s/+].*?charset[\\s/+]*=)" at ARGS:emailglobalheader.


980130: Inbound Anomaly Score Exceeded (Total Inbound Score: 35 - SQLI=0,XSS=30,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=5,SESS=0): individual paranoia level scores: 35, 0, 0, 0
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Operator GE matched 5 at TX:inbound_anomaly_score.

 

Any help of suggestions appreciated ... I'm using OWASP 3 rules

 

Much thx,

nf

Share this post


Link to post
Share on other sites
4 hours ago, nf_able said:

Re-enabled modsec in cPanel and .  And now was able to edit an invoice and create/email a new one.

Now when turning off error reporting, I get a 403.

It is unlikely that the error reporting settings have any effect on whether ModSecurity blocks something or not. error reporting has no effect on the request / response, except that if there is an error in the response, the error is included.

4 hours ago, nf_able said:

Any help of suggestions appreciated ... I'm using OWASP 3 rules

The problem with the OWASP ruleset is that they are quite restrictive. From my experience, even with widely used applications like WordPress. The solution to your problem is to either customize the rules in question, or disable them for the affected domain or URL. If you disable them, you should check if it is an important rule. 

If changing the rulesets is an option, I would recommend Atomicorp. The rules are really well maintained and the price is ok. Atomicorp also offers a free version of their rules, but not all rules are included and the free ruleset is not updated that often: https://atomicorp.com/atomic-modsecurity-rules/

Edited by string

Share this post


Link to post
Share on other sites
On 1/13/2022 at 6:22 PM, nf_able said:

My install has been fine to date, but when creating a new invoice and publishing it, my system triggered a 504.  I went to check updates, attempted to download a db backup and another 504.  

In cPanel I disabled modsecurity - then was able to edit my invoice (which it had created).  Turned on WHMCS error reporting.

Re-enabled modsec in cPanel and .  And now was able to edit an invoice and create/email a new one.

Now when turning off error reporting, I get a 403.

==

Checking WHM Modsec I see:


921130: HTTP Response Splitting Attack
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?:\\bhttp/\\d|<(?:html|meta)\\b)" at ARGS:emailglobalheader.


941100: XSS Attack Detected via libinjection
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	detected XSS using libinjection.


941130: XSS Filter - Category 3: Attribute Vector
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?i)[\\s\\S](?:!ENTITY\\s+(?:\\S+|%\\s+\\S+)\\s+(?:PUBLIC|SYSTEM)|x(?:link:href|html|mlns)|data:text\\/html|pattern\\b.*?=|formaction|\\@import|;base64)\\b" at ARGS:emailglobalheader.


941140: XSS Filter - Category 4: Javascript URI Vector
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\\b[^>]*?>[\\s\\S]*?|(?:=|U\\s*?R\\s*?L\\s*?\\()\\s*?[^>]*?\\s*?S\\s*?C\\s*?R\\s*?I\\s*?P\\s*?T\\s*?:)" at ARGS:emailglobalheader.


941250: IE XSS Filters - Attack Detected
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?i:[\\s/+].*?http-equiv[\\s/+]*=[\\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" at ARGS:emailglobalheader.


941260: IE XSS Filters - Attack Detected
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Pattern match "(?i:[\\s/+].*?charset[\\s/+]*=)" at ARGS:emailglobalheader.


980130: Inbound Anomaly Score Exceeded (Total Inbound Score: 35 - SQLI=0,XSS=30,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=5,SESS=0): individual paranoia level scores: 35, 0, 0, 0
Request:	POST /billing/master/configgeneral.php?action=save
Action Description:	Warning.
Justification:	Operator GE matched 5 at TX:inbound_anomaly_score.

 

Any help of suggestions appreciated ... I'm using OWASP 3 rules

 

Much thx,

nf

Yes, just check what is being blocked, and change the filter to exclude those things.

https://www.interserver.net/tips/kb/disable-modsecurity-rule-for-cpanel-user/?__cf_chl_f_tk=j9yPis6l0TEhoy2P2LetwF5r8IZNFH4c1l5kdaSjJYU-1642252757-0-gaNycGzNB5E

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated