cPanel's own mod_security rules, kills cPanel's own e-list feature.

Here's what I am running:
WHM 11.11.0 cPanel 11.15.0-R18373
REDHAT 5.1 i686 on standard - WHM X v3.1.0

Also using Apache 2.2

ISSUE: If you switch on/install the cPanel mod_security ruleset, this particular rule will make it impossible for anyone to manage their e-lists (MailMan) as access to the e-list admin page incurrs the 406 error:

# Restrict file extension
# removed exe so that frontpage will work
SecRule REQUEST_BASENAME "\.(?:c(?(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|$
"t:urlDecodeUni, t:lowercase, deny,log,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"
-----------

Here's the error that was being hit because of this (I changed listed IP and some other info):

[Tue Dec 11 11:16:32 2007] [error] [client 11.11.11.11] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\.(?:c(?(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?urces|x)|l(?:icx|nk|og)|\\\\w{,5}~|webinfo|ht[rw]|xs ..." at REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by policy"] [severity "CRITICAL"] [hostname "domain.com"] [uri "/mailman/dirname/listname_domain.com"] [unique_id "39Mjw8-a8MIAADDjDfoAAAAE"]
-----------

Because there are several disallowed extensions in this particular rule, I have not been able to discover exactly which part of this rule that is in conflict, so I had to comment out the entire rule.

Questions:

-- How could cPanel have missed this conflict with their own cPanel e-list utility?

and

-- Is there anyway of discovering which part of this rule that is being violated?


Thanks.

 

To find out:

1 -- Hit the error with a browser.

2 -- Grep the error log, e.g.:

grep yourdomain.com /usr/local/apache/logs/error_log

 

Thanks cpDan, but would you mind putting that in English

Can I get at least some sketchy instructions about how to do this?

Thanks.

 

Here's the entire rule that breaks things. I just commented it out.

# Restrict file extension
# removed exe so that frontpage will work
SecRule REQUEST_BASENAME "\.(?:c(?(?:nf(?:ig)?|m)|s(?roj|r)?|dx|er|fg|m d)|p(?:rinter|ass|db|ol|wd)|v(?:b(?roj|s)?|sdisc o)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf? |at|ll|os)|$
"t:urlDecodeUni, t:lowercase, deny,log,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"


On my server, it was found here:
/usr/local/apache/conf/modsec2.user.conf