The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access denied with code 406 (phase 2). Pattern match

Discussion in 'Security' started by adg001, Jun 30, 2012.

  1. adg001

    adg001 Registered

    Joined:
    Jun 30, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi my company has a hosting server running cpanel whm

    one of my sites which has a shop keeps being blocked when i looked in the mod_security log i get the following
    this is an urgent request for help.

    Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:eek:pyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:eek:(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"]

    Any help would be appreciated
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If modsecurity is blocking a legit script from working properly, this tool might be useful to you:
    ConfigServer ModSecurity Control

    After installing that, in the settings for it you could whitelist for that one domain (or all domains) the rule giving you problems. In this case its: 950004


    HTH!
     
  3. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    This will get triggered on a POST request if the data in the post consists of code like an iframe or script tag. as well as others. So basically your shop application is allowing these kinds of code to put into post requests. I would actually fix the application rather than disabling that rule, but that's your call. :)
     
  4. d'argo

    d'argo Active Member

    Joined:
    Jul 4, 2012
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    based on the rule, it looks like you have an application thats generating a filename with this in the filename

    .cookie

    and the rule looks for .cookie in filenames, so you either need to change your application so it doesnt do that, change the rule so it doesnt look for that in the filename or use a different filename
     
Loading...

Share This Page