Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

mod_security and false positive?

Discussion in 'Security' started by upsforum, Nov 27, 2013.

  1. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    471
    Likes Received:
    0
    Trophy Points:
    166
    I have this rule that block any ip of my customer, but is a false positive? I don't understand what do it

    Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "38"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"]
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    471
    Likes Received:
    0
    Trophy Points:
    166
    These are actions that trig this rule of modsec:


    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:55 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto%20450_bis2_2.jpg HTTP/1.1" 404 - "-" "-"
    37.XXX.XXX.194 - - [27/Nov/2013:11:18:56 +0100] "PROPFIND /foto207.jpg HTTP/1.1" 404 - "-" "-"

    PROPFIND is for webdav service? is normally that modsec block these requests?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice