The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity blocks google analytics script tag

Discussion in 'Security' started by sehh, Jun 24, 2015.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    My application allows the user to use his own google-analytics script tag, which is stored in the application SQL database and used at the footer of the application/site.

    Unfortunately, I discovered that the user couldn't save the page and received a 403 http error. Apparently, ModSecurity detects the script tag in the submitted textarea as cross site scripting attack.

    The log says:
    Code:
    ModSecurity: Access denied with code 403 (phase 2). Pattern match 
    "(?:< ?script|(?:<|< ?/)(?:(?:java|vb)script|about|applet|activex|
    chrome)|< ?/?i?frame|\\\\%env)" at ARGS:SSL_SITE_SEAL. [file 
    "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line 
    "990"] [id "340147"] [rev "133"] [msg "Atomicorp.com WAF Rules:
    Potential Cross Site Scripting Attack"] [data "<script"] [severity "CRITICAL"]
    
    Is there a way to avoid a single rule per url? or disable that rule entirely?

    Thank you.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    197
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm assuming you're not using the new ModSecurity tools in WHM, from your post:
    ConfigServer has a great tool that can help:
    http://www.configserver.com/cp/cmc.html

     
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Not yet, I'm still with the old default rules.

    Looks like ConfigServer's tool is the way to go, nice to stop specific rules from running per URL.

    Thank you!
     
Loading...

Share This Page