hrace009

Well-Known Member
Dec 24, 2013
75
10
8
Root
cPanel Access Level
Root Administrator
Twitter
Hello,
Some of my client running Xenforo, and need to whitelist modsec by ID.
What i have got information from ModSec tools is this message:
Code:
Request: POST /index.php?editor/to-bb-code
Action Description: Access denied with redirection to http://www.domain.com/ using status 302 (phase 2).
Justification: detected XSS using libinjection.
and by my opinion, we need to remove modsec ID for path
Code:
/index.php?editor/to-bb-code
I have try to add modsec whitelist with the following LocationMatch
Code:
<LocationMatch "/index.php?editor/to-bb-code">
  SecRuleRemoveById 973343 # Breaks Xenforo Editing Post
  SecRuleRemoveById 973340 # Breaks Xenforo Editing Post
  SecRuleRemoveById 981257 # Breaks Xenforo Editing Post
  SecRuleRemoveById 981245 # Breaks Xenforo Editing Post
  SecRuleRemoveById 981243 # Breaks Xenforo Editing Post
</LocationMatch>
It still not work.

If i change to be like this:
Code:
<LocationMatch "/index.php">
It will work perfect. but it will whitelist all global index.php

is there a way to white list only /index.php?editor/to-bb-code ?

Thank You
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I don't think locationmatch can accept query strings, unfortunately. See the link below. What comes after the question mark is php arguments (query string) and not a real "location" to apache. There would be ways to customize the rules themselves for this, but I don't really recommend that unless you are an advanced user. What I would do personally is just apply the list that works to the one domain only in an includes file. Configserver Modsec Control is great for this, you can make the exceptions for just one domain.

Apache permissions based on querystring
 
  • Like
Reactions: Infopro

hrace009

Well-Known Member
Dec 24, 2013
75
10
8
Root
cPanel Access Level
Root Administrator
Twitter
I don't think locationmatch can accept query strings, unfortunately. See the link below. What comes after the question mark is php arguments (query string) and not a real "location" to apache. There would be ways to customize the rules themselves for this, but I don't really recommend that unless you are an advanced user. What I would do personally is just apply the list that works to the one domain only in an includes file. Configserver Modsec Control is great for this, you can make the exceptions for just one domain.

Apache permissions based on querystring
Hi, Thank for reply
Yes, i have read that before, when search on google, i have seen there is a trick for it, but i forgot to save the link. maybe i should take a look again

Do you use CMC?
ConfigServer ModSecurity Control (cmc)

Using that you can disable rules per domain.
Hi, Thank for reply,
Yes i use CMC, i have seen post that LocationMatch can only use without query. Using disable per domain is good choice, and i have try it. But i think still more better if it targeting to the path that hit by ModSec. There is a trick for that, i have seen it at google before. And i forgot to save the link. I should take a look over it again.