The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod Security Rule help

Discussion in 'Security' started by mickalo, Jan 11, 2007.

  1. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    Hello,

    we have a particular mod_security rule:
    Code:
    # php injections
    SecFilterSelective ARGS_VALUES "[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"
    
    that is blocking various domains when they use their Perl bulk mailer, which has worked for quiet some time with no problems, but lately they are getting blocked via the CSF firewall when it triggers the mod_security settings. Here is a snip from the audit log:
    Code:
    ==59a76e3d==============================
    Request: www.userdomain.com IP_ADDRESS - - [10/Jan/2007:21:12:19 -0600] "POST /scgi-bin/mailermem.cgi HTTP/1.1" 406 360 "http://www.winning-trader.com/scgi-bin/mailermem.cgi?access=377a88b223dc45e6&action=process" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)" - "-"
    ----------------------------------------
    POST /scgi-bin/mailermem.cgi HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
    Accept-Encoding: gzip, deflate
    Accept-Language: en-us
    Cache-Control: no-cache
    Connection: Keep-Alive
    Content-Length: 410999
    Content-Type: application/x-www-form-urlencoded
    Cookie: trader_admin=377a88b223dc45e6
    Host: www.userdomain.com
    Referer: http://www.userdomain.com/scgi-bin/mailermem.cgi?access=377a88b223dc45e6&action=process
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
    mod_security-action: 406
    mod_security-message: Access denied with code 406. Pattern match "[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@" at ARGS_VALUES("message")
    
    410999
    access=377a88b223dc45e6&action=sendmailer&format=html&subject=Thursday%27s+Trading+Update
    &message= .........
    
    I have been trying to figure out how to change the rule so they don't trigger the mod security rule, but not having much luck .... or should I remove this rule :confused:

    TIA,
    Mickalo
     
  2. wolfy

    wolfy Well-Known Member

    Joined:
    Jul 20, 2005
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Canada
    the posted rule appears to check to see if the to cc or bcc headers are malformed or missing. check one of the bulk mailer headers and confirm that all fields are formed correctly.
     
  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    that's what I though too, but couldn't find anything wrong. is there some specific format it's looking for here. The mailer never uses a Bcc header but does use a Cc header on occasion.

    The rule was trigger by the user who authoirized to use mailer(their IP matched) so it wasn't some outside source attempting to use it.

    TIA,
    Mickalo
     
Loading...

Share This Page