The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod Security+csf Blocking picture upload scripts such as that in wordpress?

Discussion in 'Security' started by noimad1, Jun 29, 2008.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Anyone else having problems with mod_security + csf having legitimate customers getting blocked when using image upload scripts like that found in wordpress?

    I've been getting a few customers each week calling me with their IP address being blocked. When I look in the mod security rules it says:

    But I can't find the rule that is causing this? Anyone else have this problem?
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    You need to check in the mod_security log in /etc/httpd/logs for the rule that triggered the hit; it's easy enough to fix from there.
     
  3. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16

    Brian,

    Thanks for the response. That's normally what I would do, but that excerpt is from the logs....all it says is:

    Access denied with code 403. Error processing request body: Multipart: final boundary missing [severity "EMERGENCY"]

    That's why I can't find the rule...
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What rule sets /apache ver are you using? Have you searched them for something simple like 403 ?
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    If there aren't IDs associated with each rule, it's nearly impossible to search for them amongst a ton of rules in a conf file. 403 is all over the place in my conf file as well. I had gotten my rules from hostmerit or something and they did not contain IDs. So when something triggers, it's a hit or miss best guess oftentimes when trying to figure out exactly what rule was triggered.

    Mike
     
  6. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    I'm using the modsecurity_1 with the hostmerit rules as well as a few of my own custom rules.

    How do you go about adding id's to them? Sounds like something that would take me forever....lol.

    I've been googling that error, and apparently I'm not the only one this is happening to. It is to the point where a large majority of people are disabling the secfilter stuff in their .htaccess file. I certainly don't want users having to bypass my mod_security rules...
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Without doing any research I'm just wondering whether that's an inbuilt rule. It sounds like the incoming data is mangled if a mime boundary tag is missing? Is that possible? Or maybe you are hitting a mod_security bug?

    You could always go through your rules and apply tags to them all. The message you're seeing now, without any rule description, implies an internal rule to me though.
     
  8. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Yea, that's kind of what I was thinking. I've been looking a little more into it, and it seems to be affecting any "flash"-style upload utilities, such as the one in the new version of wordpress, and I think I saw one that was in joomla. I haven't looked into whether this upload utility uses ajax or what, but I think it has some sort of Flash front end interface....
     
Loading...

Share This Page