Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Disabling several mod_security rules due to 403 response to POST request?

Discussion in 'EasyApache' started by orvn, Feb 16, 2019.

Tags:
  1. orvn

    orvn Registered

    Joined:
    Feb 16, 2019
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    New York
    cPanel Access Level:
    Root Administrator
    00mod_sec-2019-02-14-at-01.32.25-00.png

    I upgraded to WHM 76 and started having an issue where mod_security was blocking form submits that included code.

    It seemed that whenever the server received a POST request that contained a lot of triangle brackets and matched some code rules/regex and took me to a 403 Forbidden error

    This was an issue because I have a particular form in the Admin panel of our sites that allow the site administrator add Google Analytics or Google Tag Manager ads. I wrote my own special sanitization for these fields to prevent injection.

    However, Apache still blocked these after my upgrade, so I went into WHM and looked at the "Hits List" in the Security Center => ModSecurity Tools.

    I ended up disabling 6 rules here, and now it works. See screenshot.

    The problem is, I feel like I "cured a headache with an axe" here. I didn't see a saw of modifying these rules in WHM to my own custom ones, moreover I'm not too familiar with writing secrules.

    Based on my screenshot, what can be surmised about the importance of the rules I disabled? Is there any way to just exclude a particular POST request or whitelist the one form where I want to do this?

    WHM/Cpanel version 76.0.20
     
    #1 orvn, Feb 16, 2019
    Last edited by a moderator: Feb 18, 2019
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @orvn,

    Can you browse to WHM >> ModSecurity™ Vendors and verify if there's a specific third-party rule-set that's enabled on this system? For instance, are you using the OWASP rule-set?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. orvn

    orvn Registered

    Joined:
    Feb 16, 2019
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    New York
    cPanel Access Level:
    Root Administrator
    Yes, so it says I have the OWASP ModSecurity Core Rule Set V3.0 (SpiderLabs OWASP curated ModSecurity) rule set with 17/22 enabled rules.
     
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    You might like to have a look at the free ConfigServer ModSecurity Control (cmc) ModSec control

    It would allow you to disable individual rules for specific (cPanel) users rather than making global changes. (You can make global, per cPanel user or per hosted domain changes as well)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 rpvw, Feb 21, 2019
    Last edited: Feb 21, 2019
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @orvn,

    The OWASP rule set (like any custom ruleset) comes with a risk of false positives. We document a description of the specific rule groups along with instructions of what to do when you encounter a false positive at:

    OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation

    If you want an easy way to only disable specific rules on individual accounts, the plugin noted in the previous post is indeed a useful tool to do this.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. orvn

    orvn Registered

    Joined:
    Feb 16, 2019
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    New York
    cPanel Access Level:
    Root Administrator
    Thanks! That type 1 error doc is really useful.

    Man, looking through some of these OWASP rules I feel very grateful of the time and thought you guys and all the folks at OWASP put into this production-quality stuff. Thanks for your hard work.
     
    cPanelMichael likes this.
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice