Form Submission

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
ZeroNine
Junior Member
Posts: 14
Joined: 19 May 2011, 19:19

Form Submission

Post by ZeroNine »

Hi,
I recently installed CXS installed on my server.
I now have some unusual issues that I am trying to figure out if it is tied to CXS and if so, how I can make things work again.

On one of the websites I have a post form that I will be inputting into a textarea field XML data for processing. For some reason when I copy and paste the xml data straight into the form and submit, this is no longer working. It's redirecting the form page to the home page.
I was pulling my hair out trying to figure out why this is all of a sudden happening but then I got an email informing me that my ip was being blocked for malicious activity.

[Mon Oct 12 12:24:11.746725 2015] [:error] [pid 7067] [client xxx.xxx.xxx.93] ModSecurity: Access denied with redirection to http://examplesite.com/ using status 302 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\s+like|not\\\\s+regexp)([\\\\s'\\"`\\\\(\\\\)]*?)(?!\\\\2)([\\\\d\\\\w]+)))" at ARGS:xmlData. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"] [line "53"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: lname>Demo found within ARGS:xmlData: <xmlHTML></xmlHTML> [hostname "examplesite.com"] [uri "/home"] [unique_id "VhwI2woAAAwAABub7roAAAAI"]

I also been getting reports of another account on my server not being able to submit a form and redirecting to the home page as well.

How does this detect this as malicious and how can I set it so these type of situation go through.
I do want to keep the site secure but I need this form to go through as well.

Any help would be great!
Last edited by ZeroNine on 12 Oct 2015, 23:40, edited 1 time in total.
ZeroNine
Junior Member
Posts: 14
Joined: 19 May 2011, 19:19

Re: Form Submission

Post by ZeroNine »

Ok I just read Dealing with false=positives in cxs

I created the cxs.ignore file.
Should I add the php file that is processing the form as an ignore script?
Do I need to add the absolute path to the php script?
Do I have to do that with each of the php files that are on the site?

If I add a user or directory in the ignore, wouldn't that make CXS kinda pointless to use?
What would be the best implementation to allow the script without making the entire site insecure?
ZeroNine
Junior Member
Posts: 14
Joined: 19 May 2011, 19:19

Re: Form Submission

Post by ZeroNine »

This is getting even more strange now.
I stopped cxs watch so now it shows "cxs Watch Daemon - cxs Watch is not running".
and the site is still redirecting to home page.

Is there anything else I can do to test to see if CXS is the cause and if I can test be disabling it quickly to figure out the issue?
ZeroNine
Junior Member
Posts: 14
Joined: 19 May 2011, 19:19

Re: Form Submission

Post by ZeroNine »

Ok I figured out the issue. It had to do with Mod Security and the rules set.
johnparker92
Junior Member
Posts: 1
Joined: 17 Aug 2015, 08:35

Re: Form Submission

Post by johnparker92 »

I am also facing same problem, please give me solution.
Post Reply