ModSecurity 2.7.3 Issues

[bspiller]

It appears that the rule ID "1234123456" is causing issues with WHMCS 5.2.5 giving false Positives. On June 30th, 2013 the issue was not there. The next day July 1st, 2013 the issue created itself and started reporting the following. Mind you these issues never occurred before July 1st, 2013. I have had to temporary disable this rule just to get my support tickets to work in all my WHMCS installations.

[email protected] [~]# cat /usr/local/apache/logs/error_log |grep 75.125.126.8
[Mon Jul 01 16:19:38.431546 2013] [:error] [pid 9660] [client 75.125.126.8] ModSecurity: Multipart parsing error: Multipart: Failed to create file: /root/tmp/20130701-161938-UdHyaq6F2KIAACW8qysAAAAO-file-Q5jDoR [hostname "billing.domain.com"] [uri "/admin/supporttickets.php"] [unique_id "UdHyaq6F2KIAACW8qysAAAAO"]
[Mon Jul 01 16:19:38.431681 2013] [:error] [pid 9660] [client 75.125.126.8] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 1, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0"] [hostname "billing.domain.com"] [uri "/admin/supporttickets.php"] [unique_id "UdHyaq6F2KIAACW8qysAAAAO"]

Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 1, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0"]

[01/Jul/2013:16:19:38 --0500] UdHyaq6F2KIAACW8qysAAAAO 75.125.126.8 33903 174.133.216.173 443
--9871a712-B--
POST /admin/supporttickets.php?action=openticket HTTP/1.1
Host: billing.domain.com
Connection: keep-alive
Content-Length: 1119
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: /https://billing.domain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndUiMgWrYJ0qTQtY
Referer: /https://billing.domain.com/admin/supporttickets.php?action=open
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: sortdata=YToyOntzOjIxOiJzdXBwb3J0dGlja2V0c29yZGVyYnkiO3M6OToibGFzdHJlcGx5IjtzOjE5OiJzdXBwb3J0dGlja2V0c29yZGVyIjtzOjM6IkFTQyI7fQ%3D%3D; WHMCSdqSJIXkuAJtn=63e407707429da6c82d5b4e2226500b6; WHMCSFD=YToxOntzOjE0OiJzdXBwb3J0dGlja2V0cyI7YTo2OntzOjQ6InZpZXciO3M6MDoiIjtzOjY6ImRlcHRpZCI7czowOiIiO3M6NjoiY2xpZW50IjtzOjA6IiI7czo3OiJzdWJqZWN0IjtzOjA6IiI7czo1OiJlbWFpbCI7czowOiIiO3M6MzoidGFnIjtzOjA6IiI7fX0%3D

--9871a712-C--
------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="token"

2fcece0fe640d67163212a823b23937546b03e66
------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="client"


------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="name"

Aaron H
------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="email"

name @ gmail.com
------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="ccemail"


------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="deptid"

2
------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="subject"

Test
------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="priority"

High
------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="message"

Test


------WebKitFormBoundaryndUiMgWrYJ0qTQtY
Content-Disposition: form-data; name="attachments[]"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryndUiMgWrYJ0qTQtY--

--9871a712-F--
HTTP/1.1 500 Internal Server Error
Content-Length: 667
Connection: close
Content-Type: text/html; charset=iso-8859-1

--9871a712-H--
Message: Multipart parsing error: Multipart: Failed to create file: /root/tmp/20130701-161938-UdHyaq6F2KIAACW8qysAAAAO-file-Q5jDoR
Message: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 1, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0"]
Action: Intercepted (phase 2)
Stopwatch: 1372713578430722 1415 (- - -)
Stopwatch2: 1372713578430722 1415; combined=32, p1=1, p2=21, p3=0, p4=0, p5=9, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.7.3 ([url=http://www.modsecurity.org/]ModSecurity: Open Source Web Application Firewall[/url]).
Server: Apache
Engine-Mode: "ENABLED
Activity

 

[cPanelMichael]

Hello

Have you considered excluding that single account from that specific Mod_Security rule? That would allow you to keep the rule active for other accounts, while allowing your WHMCS to function normally.

Thank you.

 

[bspiller]

Hello

Have you considered excluding that single account from that specific Mod_Security rule? That would allow you to keep the rule active for other accounts, while allowing your WHMCS to function normally.

Thank you.

I did a Global disable because other accounts had the same issue that I saw in the logs. IT appears to be a bug because it worked before July 1sts update or what ever it did.

 

[cPanelMichael]

Per the support ticket opened, it was determined that the specific rule you referenced is not a standard rule included by default when Mod_Security is enabled with EasyApache. Are you using a third-party application that implements custom Mod_Security rules? If so, you may want to temporarily disable it or consult with the application that enables that rule to determine if it should remain a part of the custom rules list.

Thank you.

 

[bspiller]

Per the support ticket opened, it was determined that the specific rule you referenced is not a standard rule included by default when Mod_Security is enabled with EasyApache. Are you using a third-party application that implements custom Mod_Security rules? If so, you may want to temporarily disable it or consult with the application that enables that rule to determine if it should remain a part of the custom rules list.

Thank you.

No Mod Security Addon just displays the log files and ModSec control just allows you an interface to add Rulesets to disable or the ability to disable MiodSec on a users account. None of those add custom rulesets. So this new rule was added when I updated my EastApache to remove FrontPage extensions. After which I had all the issues.

 

[quizknows]

Far as I can tell, /usr/local/apache/conf/modsec2.conf is generated by EA with that rule (MULTIPART_STRICT_ERROR) in it, regardless of the users ruleset.

From my EA build logs:

-- Begin step 'Setting up modsec conf file in httpd.conf' --
-- End step 'Setting up modsec conf file in httpd.conf' --

-- Begin step 'Updating modsec2 conf file for multipart_stric_error ruleset' --

It then goes on to check the actual rules files that I include.

So, I don't know who was working on OP's ticket, but the EA logs on every server I've seen show that EA does add this rule.

 

[quietFinn]

Per the support ticket opened, it was determined that the specific rule you referenced is not a standard rule included by default when Mod_Security is enabled with EasyApache.

The rule is added by EasyApache:
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/EasyapacheModsecurity#Automatic Patches in _ModSecurit

 

[bspiller]

Well this rule is preventing me from running my WHMCS now and my fellow clients WHMCS. It's blocking them from creating support tickets or responding to support tickets.

 

[quizknows]

Seems like you've already whitelisted it, or I'd help you with that.

I'd complain to WHMCS for this one, tell them their software is tripping WAF's with legit requests, likely due to missing parts of the request header or HTTP protocol standards. It's paid software, and that's just sloppy IMO.

 

[cPanelMichael]

I do see this rule is in-fact included with Mod_Security as part of EasyApache. It's inclusion is documented at:

EasyApache: mod_security Module

I noted this in the support ticket (#4284171) the original poster opened. I recommend consulting with WHMCS as the other poster advised to see why it's use is triggering this rule.

Thank you.

 

[quizknows]

Looking at this further I don't think this is a WHMCS problem. From your error:

Message: Multipart parsing error: Multipart: Failed to create file: /root/tmp/20130701-161938-UdHyaq6F2KIAACW8qysAAAAO-file-Q5jDoR
Message: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 1, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0"]
Action: Intercepted (phase 2)

Here's the important part:

Failed to create file: /root/tmp/20130701-161938-UdHyaq6F2KIAACW8qysAAAAO-file-Q5jDoR

This means mod_security is trying to use /root/tmp for temp data to process requests, but it cannot write there.

Since I normally wouldn't advise giving apache write access to anything in /root/, I'd add this to your modsec2.user.conf file:

SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecRequestBodyAccess On

This should fix your problem. (edit, you do have to restart apache for modsecurity changes to take effect, assuming you know that, but mentioning it just in case.)

 

[sahostking]

Exact same issue experienced here.

We do not see that error creating the tmp files though.

ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 1, IP 0, IH 0, FL 0"] [hostname "domainname"] [uri "/wp-admin/async-upload.php"] [unique_id "Ufjd98XyRKIADXYwZUsAAAAD"]

 

[quizknows]

IQ 1 = invalid quoting in the request.

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-MULTIPART_STRICT_ERROR