The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod security and Google's Tag Manager - false positives preventing page access

Discussion in 'Security' started by morrow95, Jan 8, 2015.

  1. morrow95

    morrow95 Well-Known Member

    Oct 8, 2006
    Likes Received:
    Trophy Points:
    Trying out Google's tag manager this afternoon and found that any pages with the script throw a 406 error. In turn the rest of the site cannot be accessed either (regardless if the tag is present on them or not) because of that. Say I have the script on a test page, test.htm, it will load and work fine the first view. Any refresh of that page or even going to another page (ones without the script on them) will then throw a 406.

    I am assuming the problem has to do with the cookie set by Google (since the pages will load again after the browser is closed and reopened). Google tag manager allows you to set analytics, adwords, conversion tracking, remarketing, etc all with one tag rather than separate scripts for each.

    It appears that mod security is the culprit. Here is an example entry :

    2015-01-07 20:06:03 www.​test.​com CRITICAL 406 
     ✏ 959901: SQL​ Injection​ Attack  
     Hide   
      GET /​test.htm 
    and then from the logs :

    [Wed Jan 07 22:51:11.747896 2015] [:error] [pid 30577] [client] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "94"] [id "959901"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname ""] [uri "/error.htm"] [unique_id "VK3@r2B-guIAAHdxu0AAANfsdf

    ... and this could be related as well. The whole reason I decided to use Google Tag Manager in the first place is Google Adwords kept reporting glcid errors, however, this was from using the normal script and not tag manager :

    2014-12-31 16:09:09 www.​ CRITICAL 501 
     ✏ 959006: System​ Command​ Injection  
     Hide   
      GET /​?​gclid​=​CO2jqKWY8cICFVgWjgod​LZ8AzA 

    I would assume this is a common problem since most hosts have mod security enabled... what is the solution here if any? I have never really had any problems, that I know of, with mod security up until this.
    #1 morrow95, Jan 8, 2015
    Last edited: Jan 8, 2015
  2. quizknows

    quizknows Well-Known Member

    Oct 20, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    I would probably comment out that rule or whitelist that rule ID. It's pretty common to have to whitelist a few rules here and there.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

Share This Page