Mod security and Google's Tag Manager - false positives preventing page access

morrow95

Well-Known Member
Oct 8, 2006
146
6
168
Trying out Google's tag manager this afternoon and found that any pages with the script throw a 406 error. In turn the rest of the site cannot be accessed either (regardless if the tag is present on them or not) because of that. Say I have the script on a test page, test.htm, it will load and work fine the first view. Any refresh of that page or even going to another page (ones without the script on them) will then throw a 406.

I am assuming the problem has to do with the cookie set by Google (since the pages will load again after the browser is closed and reopened). Google tag manager allows you to set analytics, adwords, conversion tracking, remarketing, etc all with one tag rather than separate scripts for each.

It appears that mod security is the culprit. Here is an example entry :

Code:
2015-01-07 20:06:03 www.​test.​com 111.111.111.111 CRITICAL 406 

 ✏ 959901: SQL​ Injection​ Attack  

 Hide   

  GET /​test.htm
and then from the logs :

[Wed Jan 07 22:51:11.747896 2015] [:error] [pid 30577] [client 111.111.111.111] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "94"] [id "959901"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "www.test.com"] [uri "/error.htm"] [unique_id "[email protected]

... and this could be related as well. The whole reason I decided to use Google Tag Manager in the first place is Google Adwords kept reporting glcid errors, however, this was from using the normal script and not tag manager :

Code:
2014-12-31 16:09:09 www.​test.com 222.222.222.222 CRITICAL 501 

 ✏ 959006: System​ Command​ Injection  

 Hide   

  GET /​?​gclid​=​CO2jqKWY8cICFVgWjgod​LZ8AzA

I would assume this is a common problem since most hosts have mod security enabled... what is the solution here if any? I have never really had any problems, that I know of, with mod security up until this.
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
I would probably comment out that rule or whitelist that rule ID. It's pretty common to have to whitelist a few rules here and there.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,912
2,241
363