The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity 2.7.3 Issues

Discussion in 'Security' started by bspiller, Jul 2, 2013.

  1. bspiller

    bspiller Member

    Joined:
    Jun 4, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Burnington, WI
    cPanel Access Level:
    Root Administrator
    It appears that the rule ID "1234123456" is causing issues with WHMCS 5.2.5 giving false Positives. On June 30th, 2013 the issue was not there. The next day July 1st, 2013 the issue created itself and started reporting the following. Mind you these issues never occurred before July 1st, 2013. I have had to temporary disable this rule just to get my support tickets to work in all my WHMCS installations.

    Code:
    root@swift [~]# cat /usr/local/apache/logs/error_log |grep 75.125.126.8
    [Mon Jul 01 16:19:38.431546 2013] [:error] [pid 9660] [client 75.125.126.8] ModSecurity: Multipart parsing error: Multipart: Failed to create file: /root/tmp/20130701-161938-UdHyaq6F2KIAACW8qysAAAAO-file-Q5jDoR [hostname "billing.domain.com"] [uri "/admin/supporttickets.php"] [unique_id "UdHyaq6F2KIAACW8qysAAAAO"]
    [Mon Jul 01 16:19:38.431681 2013] [:error] [pid 9660] [client 75.125.126.8] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 1, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0"] [hostname "billing.domain.com"] [uri "/admin/supporttickets.php"] [unique_id "UdHyaq6F2KIAACW8qysAAAAO"]
    
    Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 1, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0"]
    
    [01/Jul/2013:16:19:38 --0500] UdHyaq6F2KIAACW8qysAAAAO 75.125.126.8 33903 174.133.216.173 443
    --9871a712-B--
    POST /admin/supporttickets.php?action=openticket HTTP/1.1
    Host: billing.domain.com
    Connection: keep-alive
    Content-Length: 1119
    Cache-Control: max-age=0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Origin: /https://billing.domain.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Referer: /https://billing.domain.com/admin/supporttickets.php?action=open
    Accept-Encoding: gzip,deflate,sdch
    Accept-Language: en-US,en;q=0.8
    Cookie: sortdata=YToyOntzOjIxOiJzdXBwb3J0dGlja2V0c29yZGVyYnkiO3M6OToibGFzdHJlcGx5IjtzOjE5OiJzdXBwb3J0dGlja2V0c29yZGVyIjtzOjM6IkFTQyI7fQ%3D%3D; WHMCSdqSJIXkuAJtn=63e407707429da6c82d5b4e2226500b6; WHMCSFD=YToxOntzOjE0OiJzdXBwb3J0dGlja2V0cyI7YTo2OntzOjQ6InZpZXciO3M6MDoiIjtzOjY6ImRlcHRpZCI7czowOiIiO3M6NjoiY2xpZW50IjtzOjA6IiI7czo3OiJzdWJqZWN0IjtzOjA6IiI7czo1OiJlbWFpbCI7czowOiIiO3M6MzoidGFnIjtzOjA6IiI7fX0%3D
    
    --9871a712-C--
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="token"
    
    2fcece0fe640d67163212a823b23937546b03e66
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="client"
    
    
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="name"
    
    Aaron H
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="email"
    
    name @ gmail.com
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="ccemail"
    
    
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="deptid"
    
    2
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="subject"
    
    Test
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="priority"
    
    High
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="message"
    
    Test
    
    
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY
    Content-Disposition: form-data; name="attachments[]"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryndUiMgWrYJ0qTQtY--
    
    --9871a712-F--
    HTTP/1.1 500 Internal Server Error
    Content-Length: 667
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    
    --9871a712-H--
    Message: Multipart parsing error: Multipart: Failed to create file: /root/tmp/20130701-161938-UdHyaq6F2KIAACW8qysAAAAO-file-Q5jDoR
    Message: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 1, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0"]
    Action: Intercepted (phase 2)
    Stopwatch: 1372713578430722 1415 (- - -)
    Stopwatch2: 1372713578430722 1415; combined=32, p1=1, p2=21, p3=0, p4=0, p5=9, sr=0, sw=1, l=0, gc=0
    Producer: ModSecurity for Apache/2.7.3 ([url=http://www.modsecurity.org/]ModSecurity: Open Source Web Application Firewall[/url]).
    Server: Apache
    Engine-Mode: "ENABLED
    Activity
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you considered excluding that single account from that specific Mod_Security rule? That would allow you to keep the rule active for other accounts, while allowing your WHMCS to function normally.

    Thank you.
     
  3. bspiller

    bspiller Member

    Joined:
    Jun 4, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Burnington, WI
    cPanel Access Level:
    Root Administrator
    I did a Global disable because other accounts had the same issue that I saw in the logs. IT appears to be a bug because it worked before July 1sts update or what ever it did.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Per the support ticket opened, it was determined that the specific rule you referenced is not a standard rule included by default when Mod_Security is enabled with EasyApache. Are you using a third-party application that implements custom Mod_Security rules? If so, you may want to temporarily disable it or consult with the application that enables that rule to determine if it should remain a part of the custom rules list.

    Thank you.
     
  5. bspiller

    bspiller Member

    Joined:
    Jun 4, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Burnington, WI
    cPanel Access Level:
    Root Administrator
    No Mod Security Addon just displays the log files and ModSec control just allows you an interface to add Rulesets to disable or the ability to disable MiodSec on a users account. None of those add custom rulesets. So this new rule was added when I updated my EastApache to remove FrontPage extensions. After which I had all the issues.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Far as I can tell, /usr/local/apache/conf/modsec2.conf is generated by EA with that rule (MULTIPART_STRICT_ERROR) in it, regardless of the users ruleset.

    From my EA build logs:

    -- Begin step 'Setting up modsec conf file in httpd.conf' --
    -- End step 'Setting up modsec conf file in httpd.conf' --

    -- Begin step 'Updating modsec2 conf file for multipart_stric_error ruleset' --

    It then goes on to check the actual rules files that I include.

    So, I don't know who was working on OP's ticket, but the EA logs on every server I've seen show that EA does add this rule.
     
    #6 quizknows, Jul 3, 2013
    Last edited: Jul 3, 2013
  7. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
  8. bspiller

    bspiller Member

    Joined:
    Jun 4, 2008
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Burnington, WI
    cPanel Access Level:
    Root Administrator
    Well this rule is preventing me from running my WHMCS now and my fellow clients WHMCS. It's blocking them from creating support tickets or responding to support tickets.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Seems like you've already whitelisted it, or I'd help you with that.

    I'd complain to WHMCS for this one, tell them their software is tripping WAF's with legit requests, likely due to missing parts of the request header or HTTP protocol standards. It's paid software, and that's just sloppy IMO.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I do see this rule is in-fact included with Mod_Security as part of EasyApache. It's inclusion is documented at:

    EasyApache: mod_security Module

    I noted this in the support ticket (#4284171) the original poster opened. I recommend consulting with WHMCS as the other poster advised to see why it's use is triggering this rule.

    Thank you.
     
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Looking at this further I don't think this is a WHMCS problem. From your error:

    Message: Multipart parsing error: Multipart: Failed to create file: /root/tmp/20130701-161938-UdHyaq6F2KIAACW8qysAAAAO-file-Q5jDoR
    Message: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 1, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0"]
    Action: Intercepted (phase 2)

    Here's the important part:

    Failed to create file: /root/tmp/20130701-161938-UdHyaq6F2KIAACW8qysAAAAO-file-Q5jDoR

    This means mod_security is trying to use /root/tmp for temp data to process requests, but it cannot write there.

    Since I normally wouldn't advise giving apache write access to anything in /root/, I'd add this to your modsec2.user.conf file:

    SecUploadDir /tmp
    SecTmpDir /tmp
    SecDataDir /tmp
    SecRequestBodyAccess On

    This should fix your problem. (edit, you do have to restart apache for modsecurity changes to take effect, assuming you know that, but mentioning it just in case.)
     
    #11 quizknows, Jul 4, 2013
    Last edited: Jul 5, 2013
  12. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Exact same issue experienced here.

    We do not see that error creating the tmp files though.

    ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 1, IP 0, IH 0, FL 0"] [hostname "domainname"] [uri "/wp-admin/async-upload.php"] [unique_id "Ufjd98XyRKIADXYwZUsAAAAD"]
     
  13. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
Loading...

Share This Page