mod-security denying post method due to client's text matching pattern

Operating System & Version
centos 7
cPanel & WHM Version
11.104.0

nishu_pixofix

Member
May 11, 2022
5
1
3
BD
cPanel Access Level
Root Administrator
I have a PHP application where a form has HTML textarea tag to collect multiline text. One of our client was having trouble posting, and we couldn't recreate the issue until we tried the exact text.

After much checking I found the following in modsec_audit.log:


ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\\\\\\\n|\\\\\\\\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\\\\\s+" at MATCHED_VAR. [file "/var/cpanel/cwaf/rules/12_HTTP_Protocol.conf"] [line "137"]



Basically the client tried to input a multiline text where first word was "Delete" in a line. So basically I guess having \r\nDelete in the POST data triggered the pattern match.

Now I assume the rule is important for security, as those command keywords in the matching criteria could do harm if unchecked, but at the same time it's not feasible to ask client that hey do not start the line with these and these words, so how to handle the situation?

the question is also posted here:
https://serverfault.com/questions/1...t-method-due-to-clients-text-matching-pattern
 

nishu_pixofix

Member
May 11, 2022
5
1
3
BD
cPanel Access Level
Root Administrator
Thank you for your kind response!

It's interesting to learn about the IP whitelist feature, so, thanks! but I'm afraid it won't be possible to fixate on a specific client or a specific IP, for that matter.

I was following the mod security rule link to get a better understanding, but when I logged in to WHM and went to the rule page, it's empty and saying you have no rules (screenshot attached).

Even searching by a rule ID from the hit list also not producing any result, am I missing something here? thanks!
 

Attachments

nishu_pixofix

Member
May 11, 2022
5
1
3
BD
cPanel Access Level
Root Administrator
That's definitely interesting. Since the tool is flagging content based on rules, I'm guessing there is some type of ruleset installed. Can you confirm that is in place in WHM >> ModSecurity Vendors?
yes, thank you for pointing me the way. i found one in that page (please see attachment), but it's also saying that the vendor is not installed!

now i'm not too familiar with the overall procedure, but wondering how it's working if not installed or something!

TIA!
 

Attachments

nishu_pixofix

Member
May 11, 2022
5
1
3
BD
cPanel Access Level
Root Administrator
This gets more interesting as we go! It might be worth submitting a ticket to our team so we can see what is happening directly on the system.
understood, i'll submit a technical support request (guess that's the one you're talking about, never submitted a ticket here before).

thanks for your guidance!
 
  • Like
Reactions: cPRex