Modsec Issue

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
liono
Junior Member
Posts: 5
Joined: 18 Jul 2014, 22:14

Modsec Issue

Post by liono »

I have installed cxs and added the lines :

Code: Select all

SecRequestBodyAccess On
SecRule FILES_TMPNAMES “@inspectFile /etc/cxs/cxscgi_DOT_sh” \
“log,auditlog,deny,severity:2,id:’1010101′” 
To the file /usr/local/apache/conf/modsec2.user.conf

Now every time I edit css template in joomla and press save I get :

Not Acceptable

An appropriate representation of the requested resource /jom/administrator/index.php could not be found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

When I comment the line :

Code: Select all

SecRequestBodyAccess On
all goes OK.

Any idea how to resolve this issue.

Thanks
Sergio
Junior Member
Posts: 1719
Joined: 12 Dec 2006, 14:56

Re: Modsec Issue

Post by Sergio »

It seems that your rule has the wrong type of quotes on the ID number, try to use " ' " not " ’ ".

The rule should be:
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi_DOT_sh" \
"log,auditlog,deny,severity:2,id:'1010101'"

The line:
SecRequestBodyAccess On
should be always "On".

Hope this helps.
liono
Junior Member
Posts: 5
Joined: 18 Jul 2014, 22:14

Re: Modsec Issue

Post by liono »

Thank you Sergio for taking up the time to look into this issue.

I checked the rule and fount it is as you have typed in your message i.e.:
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi_DOT_sh" \
"log,auditlog,deny,severity:2,id:'1010101'"

I have typed the single quote wrongly when composing my message.

I still get the error above. Any new ideas?

Thank you
Sergio
Junior Member
Posts: 1719
Joined: 12 Dec 2006, 14:56

Re: Modsec Issue

Post by Sergio »

You will need to check modsec error log with cmc to get more info about why that rule has been triggered.
liono
Junior Member
Posts: 5
Joined: 18 Jul 2014, 22:14

Re: Modsec Issue

Post by liono »

Thanks again Sergio,

I have installed cmc and found that the rule that triggers this issue is :

Code: Select all

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'1234123404',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
Any idea how to fix it, is it OK to disable this rule?

Thanks
Sergio
Junior Member
Posts: 1719
Joined: 12 Dec 2006, 14:56

Re: Modsec Issue

Post by Sergio »

Well, first of all, the first post that you wrote saids that you added the rule for CXS and you have some issues with joomla but the info that you posted is showing a different rule:
id:'1234123404'
this is not the same rule as the id:’1010101′ from cxs, them are not related.

Rules that starts with 12341234XX are from a default set from cPanel and are not recommended it is better to use rules like ASL GotRoot.

From the log lines that you wrote, I will liked to see what was the URL that was causing this or at least the "post" section to see what was the script that caused this to happen in order to create a rule for that script.

If you are using a set of modsec rules, please tell which ones are you using.

Sergio
liono
Junior Member
Posts: 5
Joined: 18 Jul 2014, 22:14

Re: Modsec Issue

Post by liono »

Dear Sergio,

Thanks again for your help and fast response.

Here is the log output from cmc which contains all information including the post line:

Code: Select all

ConfigServer ModSecurity Log Entries Expand All Collapse All
Domain	Source IP	Rule ID	Date Stamp
MyDomain_DOT_DOT_com	xx.xx.xx.xx	1234123404	[01/Aug/2014:16:28:45 +0200]
Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at ARGS:jform[source]. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data "<meta"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]

[01/Aug/2014:16:28:45 +0200] U9ukHNj2HNAAAE8ITDMAAAAD 41.252.251.76 65145 216.246.28.209 80
--2c779e0a-B--
POST /administrator/index.php?option_DOT_com_templates&view=template&id=506&file=L2luZGV4LnBocA HTTP/1.1
Host: MyDomain_DOT_DOT_com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://MyDomain_DOT_DOT_com/administrator/index.php?option_DOT_com_templates&view=template&id=506&file=L2luZGV4LnBocA%3D%3D
Cookie: fbe98b29bf4f90f50d2b71a3e1415e05=37624ce9b76e9cc23473419ec19235f6; e0ee60f5151a165949011a405620e344=671471d2230a9813c1c3b93fb7110b94
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 11211

--2c779e0a-C--
jform%5Bsource%5D=%3C%3Fphp%0D%0A%2F**%0D%0A+*+%40package+++++Joomla.Site%0D%0A+*+%40subpackage++Templates.protostar%0D%0A+*%0D%0A+*+%40copyright+++Copyright+%28C%29+2005+-+2014+Open+Source+Matters%2C+Inc.+All+rights+reserved.%0D%0A+*+%40license+++++GNU+General+Public+License+version+2+or+later%3B+see+LICENSE.txt%0D%0A+*%2F%0D%0A%0D%0Adefined%28%27_JEXEC%27%29+or+die%3B%0D%0A%0D%0A%2F%2F+Getting+params+from+template%0D%0A%24params+%3D+JFactory%3A%3AgetApplication%28%29-%3EgetTemplate%28true%29-%3Eparams%3B%0D%0A%0D%0A%24app+%3D+JFactory%3A%3AgetApplication%28%29%3B%0D%0A%24doc+%3D+JFactory%3A%3AgetDocument%28%29%3B%0D%0A%24this-%3Elanguage+%3D+%24doc-%3Elanguage%3B%0D%0A%24this-%3Edirection+%3D+%24doc-%3Edirection%3B%0D%0A%0D%0A%2F%2F+Detecting+Active+Variables%0D%0A%24option+++%3D+%24app-%3Einput-%3EgetCmd%28%27option%27%2C+%27%27%29%3B%0D%0A%24view+++++%3D+%24app-%3Einput-%3EgetCmd%28%27view%27%2C+%27%27%29%3B%0D%0A%24layout+++%3D+%24app-%3Einput-%3EgetCmd%28%27layout%27%2C+%27%27%29%3B%0D%0A%24task+++++%3D+%24app-%3Einput-%3EgetCmd%28%27task%27%2C+%27%27%29%3B%0D%0A%24itemid+++%3D+%24app-%3Einput-%3EgetCmd%28%27Itemid%27%2C+%27%27%29%3B%0D%0A%24sitename+%3D+%24app-%3EgetCfg%28%27sitename%27%29%3B%0D%0A%0D%0Aif%28%24task+%3D%3D+%22edit%22+%7C%7C+%24layout+%3D%3D+%22form%22+%29%0D%0A%7B%0D%0A%09%24fullWidth+%3D+1%3B%0D%0A%7D%0D%0Aelse%0D%0A%7B%0D%0A%09%24fullWidth+%3D+0%3B%0D%0A%7D%0D%0A%0D%0A%2F%2F+Add+JavaScript+Frameworks%0D%0AJHtml%3A%3A_%28%27bootstrap.framework%27%29%3B%0D%0A%24doc-%3EaddScript%28%27templates%2F%27+.%24this-%3Etemplate.+%27%2Fjs%2Ftemplate.js%27%29%3B%0D%0A%0D%0A%2F%2F+Add+Stylesheets%0D%0A%24doc-%3EaddStyleSheet%28%27templates%2F%27.%24this-%3Etemplate.%27%2Fcss%2Ftemplate.css%27%29%3B%0D%0A%0D%0A%2F%2F+Load+optional+RTL+Bootstrap+CSS%0D%0AJHtml%3A%3A_%28%27bootstrap.loadCss%27%2C+false%2C+%24this-%3Edirection%29%3B%0D%0A%0D%0A%2F%2F+Add+current+user+information%0D%0A%24user+%3D+JFactory%3A%3AgetUser%28%29%3B%0D%0A%0D%0A%2F%2F+Adjusting+content+width%0D%0Aif+%28%24this-%3EcountModules%28%27position-7%27%29+%26%26+%24this-%3EcountModules%28%27position-8%27%29%29%0D%0A%7B%0D%0A%09%24span+%3D+%22span6%22%3B%0D%0A%7D%0D%0Aelseif+%28%24this-%3EcountModules%28%27position-7%27%29+%26%26+%21%24this-%3EcountModules%28%27position-8%27%29%29%0D%0A%7B%0D%0A%09%24span+%3D+%22span9%22%3B%0D%0A%7D%0D%0Aelseif+%28%21%24this-%3EcountModules%28%27position-7%27%29+%26%26+%24this-%3EcountModules%28%27position-8%27%29%29%0D%0A%7B%0D%0A%09%24span+%3D+%22span9%22%3B%0D%0A%7D%0D%0Aelse%0D%0A%7B%0D%0A%09%24span+%3D+%22span12%22%3B%0D%0A%7D%0D%0A%0D%0A%2F%2F+Logo+file+or+site+title+param%0D%0Aif+%28%24this-%3Eparams-%3Eget%28%27logoFile%27%29%29%0D%0A%7B%0D%0A%09%24logo+%3D+%27%3Cimg+src%3D%22%27.+JUri%3A%3Aroot%28%29+.+%24this-%3Eparams-%3Eget%28%27logoFile%27%29+.%27%22+alt%3D%22%27.+%24sitename+.%27%22+%2F%3E%27%3B%0D%0A%7D%0D%0Aelseif+%28%24this-%3Eparams-%3Eget%28%27sitetitle%27%29%29%0D%0A%7B%0D%0A%09%24logo+%3D+%27%3Cspan+class%3D%22site-title%22+title%3D%22%27.+%24sitename+.%27%22%3E%27.+htmlspecialchars%28%24this-%3Eparams-%3Eget%28%27sitetitle%27%29%29+.%27%3C%2Fspan%3E%27%3B%0D%0A%7D%0D%0Aelse%0D%0A%7B%0D%0A%09%24logo+%3D+%27%3Cspan+class%3D%22site-title%22+title%3D%22%27.+%24sitename+.%27%22%3E%27.+%24sitename+.%27%3C%2Fspan%3E%27%3B%0D%0A%7D%0D%0A%3F%3E%0D%0A%3C%21DOCTYPE+html%3E%0D%0A%3Chtml+xmlns%3D%22http%3A%2F%2Fwww.w3_DOT_org%2F1999%2Fxhtml%22+xml%3Alang%3D%22%3C%3Fphp+echo+%24this-%3Elanguage%3B+%3F%3E%22+lang%3D%22%3C%3Fphp+echo+%24this-%3Elanguage%3B+%3F%3E%22+dir%3D%22%3C%3Fphp+echo+%24this-%3Edirection%3B+%3F%3E%22%3E%0D%0A%3Chead%3E%0D%0A%09%3Cmeta+name%3D%22viewport%22+content%3D%22width%3Ddevice-width%2C+initial-scale%3D1.0%22+%2F%3E%0D%0A%09%3Cjdoc%3Ainclude+type%3D%22head%22+%2F%3E%0D%0A%09%3C%3Fphp%0D%0A%09%2F%2F+Use+of+Google+Font%0D%0A%09if+%28%24this-%3Eparams-%3Eget%28%27googleFont%27%29%29%0D%0A%09%7B%0D%0A%09%3F%3E%0D%0A%09%09%3Clink+href%3D%27%2F%2Ffonts.googleapis_DOT_com%2Fcss%3Ffamily%3D%3C%3Fphp+echo+%24this-%3Eparams-%3Eget%28%27googleFontName%27%29%3B%3F%3E%27+rel%3D%27stylesheet%27+type%3D%27text%2Fcss%27+%2F%3E%0D%0A%09%09%3Cstyle+type%3D%22text%2Fcss%22%3E%0D%0A%09%09%09h1%2Ch2%2Ch3%2Ch4%2Ch5%2Ch6%2C.site-title%7B%0D%0A%09%09%09%09font-family%3A+%27%3C%3Fphp+echo+str_replace%28%27%2B%27%2C+%27+%27%2C+%24this-%3Eparams-%3Eget%28%27googleFontName%27%29%29%3B%3F%3E%27%2C+sans-serif%3B%0D%0A%09%09%09%7D%0D%0A%09%09%3C%2Fstyle%3E%0D%0A%09%3C%3Fphp%0D%0A%09%7D%0D%0A%09%3F%3E%0D%0A%09%3C%3Fphp%0D%0A%09%2F%2F+Template+color%0D%0A%09if+%28%24this-%3Eparams-%3Eget%28%27templateColor%27%29%29%0D%0A%09%7B%0D%0A%09%3F%3E%0D%0A%09%3Cstyle+type%3D%22text%2Fcss%22%3E%0D%0A%09%09body.site%0D%0A%09%09%7B%0D%0A%09%09%09border-top%3A+3px+solid+%3C%3Fphp+echo+%24this-%3Eparams-%3Eget%28%27templateColor%27%29%3B%3F%3E%3B%0D%0A%09%09%09background-color%3A+%3C%3Fphp+echo+%24this-%3Eparams-%3Eget%28%27templateBackgroundColor%27%29%3B%3F%3E%0D%0A%09%09%7D%0D%0A%09%09a%0D%0A%09%09%7B%0D%0A%09%09%09color%3A+%3C%3Fphp+echo+%24this-%3Eparams-%3Eget%28%27templateColor%27%29%3B%3F%3E%3B%0D%0A%09%09%7D%0D%0A%09%09.navbar-inner%2C+.nav-list+%3E+.active+%3E+a%2C+.nav-list+%3E+.active+%3E+a%3Ahover%2C+.dropdown-menu+li+%3E+a%3Ahover%2C+.dropdown-menu+.active+%3E+a%2C+.dropdown-menu+.active+%3E+a%3Ahover%2C+.nav-pills+%3E+.active+%3E+a%2C+.nav-pills+%3E+.active+%3E+a%3Ahover%2C%0D%0A%09%09.btn-primary%0D%0A%09%09%7B%0D%0A%09%09%09background%3A+%3C%3Fphp+echo+%24this-%3Eparams-%3Eget%28%27templateColor%27%29%3B%3F%3E%3B%0D%0A%09%09%7D%0D%0A%09%09.navbar-inner%0D%0A%09%09%7B%0D%0A%09%09%09-moz-box-shadow%3A+0+1px+3px+rgba%280%2C+0%2C+0%2C+.25%29%2C+inset+0+-1px+0+rgba%280%2C+0%2C+0%2C+.1%29%2C+inset+0+30px+10px+rgba%280%2C+0%2C+0%2C+.2%29%3B%0D%0A%09%09%09-webkit-box-shadow%3A+0+1px+3px+rgba%280%2C+0%2C+0%2C+.25%29%2C+inset+0+-1px+0+rgba%280%2C+0%2C+0%2C+.1%29%2C+inset+0+30px+10px+rgba%280%2C+0%2C+0%2C+.2%29%3B%0D%0A%09%09%09box-shadow%3A+0+1px+3px+rgba%280%2C+0%2C+0%2C+.25%29%2C+inset+0+-1px+0+rgba%280%2C+0%2C+0%2C+.1%29%2C+inset+0+30px+10px+rgba%280%2C+0%2C+0%2C+.2%29%3B%0D%0A%09%09%7D%0D%0A%09%3C%2Fstyle%3E%0D%0A%09%3C%3Fphp%0D%0A%09%7D%0D%0A%09%3F%3E%0D%0A%09%3C%21--%5Bif+lt+IE+9%5D%3E%0D%0A%09%09%3Cscript+src%3D%22%3C%3Fphp+echo+%24this-%3Ebaseurl+%3F%3E%2Fmedia%2Fjui%2Fjs%2Fhtml5.js%22%3E%3C%2Fscript%3E%0D%0A%09%3C%21%5Bendif%5D--%3E%0D%0A%3C%2Fhead%3E%0D%0A%0D%0A%3Cbody+class%3D%22site+%3C%3Fphp+echo+%24option%0D%0A%09.+%27+view-%27+.+%24view%0D%0A%09.+%28%24layout+%3F+%27+layout-%27+.+%24layout+%3A+%27+no-layout%27%29%0D%0A%09.+%28%24task+%3F+%27+task-%27+.+%24task+%3A+%27+no-task%27%29%0D%0A%09.+%28%24itemid+%3F+%27+itemid-%27+.+%24itemid+%3A+%27%27%29%0D%0A%09.+%28%24params-%3Eget%28%27fluidContainer%27%29+%3F+%27+fluid%27+%3A+%27%27%29%3B%0D%0A%3F%3E%22%3E%0D%0A%0D%0A%09%3C%21--+Body+--%3E%0D%0A%09%3Cdiv+class%3D%22body%22%3E%0D%0A%09%0D%0A%09%0D%0A%09%0D%0A%09%09%09%09%3Cdiv+class%3D%22header-inner+clearfix%22%3E%0D%0A%09%09%09%09%09%3Ca+class%3D%22brand+pull-left%22+href%3D%22%3C%3Fphp+echo+%24this-%3Ebaseurl%3B+%3F%3E%22%3E%0D%0A%09%09%09%09%09%09%3C%3Fphp+echo+%24logo%3B%3F%3E+%3C%3Fphp+if+%28%24this-%3Eparams-%3Eget%28%27sitedescription%27%29%29+%7B+echo+%27%3Cdiv+class%3D%22site-description%22%3E%27.+htmlspecialchars%28%24this-%3Eparams-%3Eget%28%27sitedescription%27%29%29+.%27%3C%2Fdiv%3E%27%3B+%7D+%3F%3E%0D%0A%09%09%09%09%09%3C%2Fa%3E%0D%0A%09%09%09%09%09%3Cdiv+class%3D%22header-search+pull-right%22%3E%0D%0A%09%09%09%09%09%09%3Cjdoc%3Ainclude+type%3D%22modules%22+name%3D%22position-0%22+style%3D%22none%22+%2F%3E%0D%0A%09%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%0D%0A%09%0D%0A%09%0D%0A%09%0D%0A%0D%0A%09%0D%0A%09%09%3Cdiv+class%3D%22container%3C%3Fphp+echo+%28%24params-%3Eget%28%27fluidContainer%27%29+%3F+%27-fluid%27+%3A+%27%27%29%3B%3F%3E%22%3E%0D%0A%09%09%0D%0A%0D%0A%09%09%0D%0A%09%09%09%3C%21--+Header+--%3E%0D%0A%09%09%09%3Cheader+class%3D%22header%22+role%3D%22banner%22%3E%0D%0A%09%09%09%09%0D%0A%09%09%09%3C%2Fheader%3E%0D%0A%09%09%09%3C%3Fphp+if+%28%24this-%3EcountModules%28%27position-1%27%29%29+%3A+%3F%3E%0D%0A%09%09%09%3Cnav+class%3D%22navigation%22+role%3D%22navigation%22%3E%0D%0A%09%09%09%09%3Cjdoc%3Ainclude+type%3D%22modules%22+name%3D%22position-1%22+style%3D%22none%22+%2F%3E%0D%0A%09%09%09%3C%2Fnav%3E%0D%0A%09%09%09%3C%3Fphp+endif%3B+%3F%3E%0D%0A%09%09%09%3Cjdoc%3Ainclude+type%3D%22modules%22+name%3D%22banner%22+style%3D%22xhtml%22+%2F%3E%0D%0A%09%09%09%3Cdiv+class%3D%22row-fluid%22%3E%0D%0A%09%09%09%09%3C%3Fphp+if+%28%24this-%3EcountModules%28%27position-8%27%29%29+%3A+%3F%3E%0D%0A%09%09%09%09%3C%21--+Begin+Sidebar+--%3E%0D%0A%09%09%09%09%3Cdiv+id%3D%22sidebar%22+class%3D%22span3%22%3E%0D%0A%09%09%09%09%09%3Cdiv+class%3D%22sidebar-nav%22%3E%0D%0A%09%09%09%09%09%09%3Cjdoc%3Ainclude+type%3D%22modules%22+name%3D%22position-8%22+style%3D%22xhtml%22+%2F%3E%0D%0A%09%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%3C%21--+End+Sidebar+--%3E%0D%0A%09%09%09%09%3C%3Fphp+endif%3B+%3F%3E%0D%0A%09%09%09%09%3Cmain+id%3D%22content%22+role%3D%22main%22+class%3D%22%3C%3Fphp+echo+%24span%3B%3F%3E%22%3E%0D%0A%09%09%09%09%09%3C%21--+Begin+Content+--%3E%0D%0A%09%09%09%09%09%3Cjdoc%3Ainclude+type%3D%22modules%22+name%3D%22position-3%22+style%3D%22xhtml%22+%2F%3E%0D%0A%09%09%09%09%09%3Cjdoc%3Ainclude+type%3D%22message%22+%2F%3E%0D%0A%09%09%09%09%09%3Cjdoc%3Ainclude+type%3D%2_DOT_component%22+%2F%3E%0D%0A%09%09%09%09%09%3Cjdoc%3Ainclude+type%3D%22modules%22+name%3D%22position-2%22+style%3D%22none%22+%2F%3E%0D%0A%09%09%09%09%09%3C%21--+End+Content+--%3E%0D%0A%09%09%09%09%3C%2Fmain%3E%0D%0A%09%09%09%09%3C%3Fphp+if+%28%24this-%3EcountModules%28%27position-7%27%29%29+%3A+%3F%3E%0D%0A%09%09%09%09%3Cdiv+id%3D%22aside%22+class%3D%22span3%22%3E%0D%0A%09%09%09%09%09%3C%21--+Begin+Right+Sidebar+--%3E%0D%0A%09%09%09%09%09%3Cjdoc%3Ainclude+type%3D%22modules%22+name%3D%22position-7%22+style%3D%22well%22+%2F%3E%0D%0A%09%09%09%09%09%3C%21--+End+Right+Sidebar+--%3E%0D%0A%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%3C%3Fphp+endif%3B+%3F%3E%0D%0A%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%3C%2Fdiv%3E%0D%0A%09%3C%2Fdiv%3E%0D%0A%09%3C%21--+Footer+--%3E%0D%0A%09%3Cfooter+class%3D%22footer%22+role%3D%22contentinfo%22%3E%0D%0A%09%09%3Cdiv+class%3D%22container%3C%3Fphp+echo+%28%24params-%3Eget%28%27fluidContainer%27%29+%3F+%27-fluid%27+%3A+%27%27%29%3B%3F%3E%22%3E%0D%0A%09%09%09%3Chr+%2F%3E%0D%0A%09%09%09%3Cjdoc%3Ainclude+type%3D%22modules%22+name%3D%22footer%22+style%3D%22none%22+%2F%3E%0D%0A%09%09%09%3Cp+class%3D%22pull-right%22%3E%0D%0A%09%09%09%09%3Ca+href%3D%22%23top%22+id%3D%22back-top%22%3E%0D%0A%09%09%09%09%09%3C%3Fphp+echo+JText%3A%3A_%28%27TPL_PROTOSTAR_BACKTOTOP%27%29%3B+%3F%3E%0D%0A%09%09%09%09%3C%2Fa%3E%0D%0A%09%09%09%3C%2Fp%3E%0D%0A%09%09%09%3Cp%3E%0D%0A%09%09%09%09%26copy%3B+%3C%3Fphp+echo+date%28%27Y%27%29%3B+%3F%3E+%3C%3Fphp+echo+%24sitename%3B+%3F%3E%0D%0A%09%09%09%3C%2Fp%3E%0D%0A%09%09%3C%2Fdiv%3E%0D%0A%09%3C%2Ffooter%3E%0D%0A%09%3Cjdoc%3Ainclude+type%3D%22modules%22+name%3D%22debug%22+style%3D%22none%22+%2F%3E%0D%0A%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A&task=template.close&942cda2b8d2f2c905fd98486d0d8ead3=1&jform%5Bextension_id%5D=506&jform%5Bfilename%5D=%2Findex.php
--2c779e0a-F--
HTTP/1.1 406 Not Acceptable
Content-Length: 393
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--2c779e0a-E--

--2c779e0a-H--
Message: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at ARGS:jform[source]. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data "<meta"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]
Apache-Error: [file "core.c"] [line 3706] [level 3] File does not exist: /home/manahejl/public_html/406.shtml, referer: http://MyDomain_DOT_DOT_com/administrator/index.php?option_DOT_com_templates&view=template&id=506&file=L2luZGV4LnBocA%3D%3D
Action: Intercepted (phase 2)
Stopwatch: 1406903324645828 863198 (- - -)
Stopwatch2: 1406903324645828 863198;_DOT_combined=31267, p1=54, p2=31208, p3=0, p4=0, p5=4, sr=0, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.1 (http://www.modsecurity_DOT_org/).
Server: Apache
Engine-Mode: "ENABLED"
Also can you enlighten what is ASL GotRoot and how do I reconfigure the modsec rules optimally? Should I delete all rules then replace them with ASL GotRoot rules?

Thank you.
Sergio
Junior Member
Posts: 1719
Joined: 12 Dec 2006, 14:56

Re: Modsec Issue

Post by Sergio »

OK, the line that is triggering that rule is:
POST /administrator/index.php?option_DOT_com_templates&view=template&id=506&
Doest the "option_DOT_com" on that line for any chance is an URL containing "http://" ?

You didn't said what set of rules are you using in that server.

About ASL GotRoot rules, it is a payed set of modsec rules that I am a proud reseller, that set of rules does a great job securing any linux server. There are other set of rules from different providers but these ones are more easy to use.
Last edited by Sergio on 01 Aug 2014, 21:39, edited 1 time in total.
liono
Junior Member
Posts: 5
Joined: 18 Jul 2014, 22:14

Re: Modsec Issue

Post by liono »

Hi Sergio,

The line should be :

Code: Select all

POST /administrator/index.php?option=com_templates&view=template&id=506&
Yes it contains http://, if you scroll down a bit you can see it :

Code: Select all

Referer: http://MyDomain_DOT_DOT_com/administrator/index.php?option=com_templates&view=template&id=506&file=L2luZGV4LnBocA%3D%3D
Also please note I made a mistake , the line is that contains option_DOT_com should read option=com as seen above. Sorry mistake during replacing all .com lines which the forum complains about.

About ASL GotRoot how to get it? is it easy to install? How much it costs and is the cost one time or periodical?

Thanks
Sergio
Junior Member
Posts: 1719
Joined: 12 Dec 2006, 14:56

Re: Modsec Issue

Post by Sergio »

Ok, the "http://" that I was asking was not the ones at the beginning of the URL, modsec usually blocks an IP if an "http://" is written inside an URL or if an "http://" comes in a variable filled in a form, for example.

ASL rules are payed annualy, as a respect to this site, please send me a pm if you are interested on more info.
Post Reply