Problem with Mass Email feature.

[kurbot]

Is anyone else having trouble when trying to send out emails to all hosted clients?

 

When i submit the message to be sent, it runs the first batch, however if i try to force the next batch, or wait the 30 seconds for the second batch to run, i get a 404 error... Only the first 30 clients get there emails and no one else ..

 

I did notice thought that i get a URL Return that looks like this.

 

ieframe.dll/http_406.htm#http://yourdomain.com/admin/sendmessage.php?action=send&massmailquery=SELECT+tblhosting.id%2Ctblhosting.userid%2Ctblhosting.domain%2Ctblclients.firstname%2Ctblclients.lastname%2Ctblclients.email+FROM+tblhosting+INNER+JOIN+tblclients+ON+tblclients.id%3Dtblhosting.userid+INNER+JOIN+tblproducts+ON+tblproducts.id%3Dtblhosting.packageid+WHERE+tblhosting.id%21%3D%27%27+AND+tblhosting.domainstatus%3D%27Active%27&step=1

 

I've tried re-uploading all the original files from whmcs.com to no avail.

 

Is this known? or just me?

[jozeph]

Same problem here.

[sparky]

You are getting a 406 error "Not Acceptable"

More than likely mod security rules are stopping the second step of the mailout.

This was the same in 3.8.1 and 3.8.2

I haven't yet had the time to put my finger on the particular mod security rule yet but if you have to do a mass mailout, you can turn off mod security do the mail out and then re-enable it.

 

Maybe submit it as a bug, Matt may look at it.

[kurbot]

Ok that makes sense, and yes we run mod_security.. if you can finger print the ruleset or a rule i can whitelist let me know.. Ill look into this further my self also.

 

its a pain not being able to mass mail clients especially when you have 800+ and you need to inform them of emergency services ;-)

 

Thank You.

[kurbot]

ok i found the ruleset blocking it..

 

will post it in a way thats not a securiyt risk to all of us using Sec Mod

[kurbot]

Ok, The mod_secuirty ruleset thats causing mass email to fail after first batch is related to SQL injection.

 

Here are some slightly modified examples of the rules that trigger the hault..

 
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(??(?:elect\b(?:.{1,100}?\b(??:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(??:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\'(?(?:qloledb|a)|msdasql|dbo)')" \
    "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

   
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(??(?:elect\b(?:.{1,100}?\b(??:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(??:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\'(?(?:qloledb|a)|msdasql|dbo)')" \
       "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

Im working out a solution to not have to disable mod_security, but more so allowing an LOCAL IP range and server ip/name range match to bypass this block..

 

As soon as i have a new ruleset that allows for allowing specific users to bypass it in a safe manner i will post it.

 

Thanks for the pointer sparky.. got me in the right direction to fix it.

[kurbot]

If its of anyhelp.. We built a work around to mod_security..

 

While its unusual and not the best method to pass SQL information VIA url, being It would be an issue with most firewalls and its just bad practice in general.. My personal two cents on security and methods..

 

That all being said for those of you who use mod_security and want a solution....

 

add the following ruleset to your rules..

 

SecRule REMOTE_ADDR "^1\.2\.3\.4$" allow

 

the 1 2 3 4 being the IP address you wish to bypass this..

 

Again.. use this type of setup at your discression.. its not a thouroughly tested method and my concern is that someone who could mask your ip will be able to URL f'up your database royally.

 

Im hoping down the road, WHMCS will introduce a new way in mass emailing intead of passing SQL url variables..

 

Thanks guys, and good luck to those having this issue.