ModSecurity False Positive WordPress - How can I temporarily whitelist specific for this website?

Operating System & Version
CentOS 7.6 (CloudLinux 7.8)
cPanel & WHM Version
v88.0.13

RyanR

Active Member
Jul 22, 2020
33
4
8
London
cPanel Access Level
Root Administrator
Hi,

One of our websites is having issues ModSecurity. If we publish a page update or preview the page it throws a 403 forbidden error...

The rules that are being broken are:

941100: XSS Attack Detected via libinjection

Request:
POST /wp-admin/post.php
Action Description: Access denied with code 403 (phase 2).
Justification: Test 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/*' against '@detectXSS' is true.


220030: COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)

Request:
GET /wp-content/themes/startit/assets/css/simple-line-icons/fonts/Simple-Line-Icons.woff?-i3a2kk
Action Description: Access denied with code 403 (phase 2).
Justification: Test 'MATCHED_VAR' against '@pm -a -b -C -q -T -c -n -d -e -f -h -? -i -l -m -r -B -R -F -E -S -t -s -v -w -z' is true.

Both are false positives... we raised a report for both of them however for the meantime we'd like to be able to whitelist/ignore these two rules for this particular website/cPanel account.

Any advice would be greatly welcome!
 

ZenHostingTravis

Well-Known Member
PartnerNOC
May 22, 2020
273
93
28
Australia
cPanel Access Level
Root Administrator
Hi @RyanR,

That's no good.

You should go to WHM >> ModSecurity Tools >> Click the Rule under the Rule ID column and then you can disable it.

You may have to restart Apache, though.

If you find my instructions hard to follow, here is the link the cPanel documentation.
 
  • Like
Reactions: cPSamuelM

RyanR

Active Member
Jul 22, 2020
33
4
8
London
cPanel Access Level
Root Administrator
Hi @RyanR,

That's no good.

You should go to WHM >> ModSecurity Tools >> Click the Rule under the Rule ID column and then you can disable it.

You may have to restart Apache, though.

If you find my instructions hard to follow, here is the link the cPanel documentation.
The problem with that is that it affects all cPanel accounts and domains. I only want to apply it to one account/domain

Thanks
 

RyanR

Active Member
Jul 22, 2020
33
4
8
London
cPanel Access Level
Root Administrator
Thanks for that ZenHostingTravis!

I installed ConfigServer ModSecurityControl and whitelisted the two rules... I can see they're whitelisted because previewing pages no longer adds logs into the ModSecurity Tools log... but the pages are still 403 erroring out.

I even tried toggling ModSecurity on/off via CMC and it's clearly working because disabling ModSecurity stops the 403 happening.
 
  • Like
Reactions: ZenHostingTravis

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,269
313
Houston
I should also note in here that neither of those ModSecurity rulesets are supported by cPanel, while you can install them our ability to troubleshoot them will be limited in some instances.

If you've disabled the specific rule that was matching, and you're still receiving a 403 error what is output in the Apache error logs?


Thanks!
 
  • Like
Reactions: ZenHostingTravis

RyanR

Active Member
Jul 22, 2020
33
4
8
London
cPanel Access Level
Root Administrator
If you've disabled the specific rule that was matching, and you're still receiving a 403 error what is output in the Apache error logs?
So apache error logs weren't being helpful, they weren't showing anything wrong.

I checked the modsecurity logs and this log WAS showing why it was being blocked... yet the "ModSecurity Tools" in WHM wasn't showing it...

The rule 941160 was the cause (along with 941110) which is in /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUST-941-APPLICATION-ATTACK-XSS.conf

For reference, the "logged data" is a copy of the page content using WordPress' "WPBakery Page Builder" shortcodes.. that seems to be a bit of a false positive.

Code:
Message: Access denied with code 403 (phase 2). Test 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/*' against '(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=' is true. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "74"] [id "941160"] [rev "2"] [msg "NoScript XSS InjectionChecker: HTML Injection"]
 
  • Like
Reactions: ZenHostingTravis

Scott Galambos

Well-Known Member
Jul 13, 2016
100
4
68
Canada
cPanel Access Level
Root Administrator
I got this exact problem with REQUST-941-APPLICATION-ATTACK-XSS.conf. These rules need to be improved.

And whenever I add this to my modsec2.whitelist.conf file manually via SSH:
Code:
SecRule REMOTE_ADDR "^72.33.35.33$" "phase:1,id:941110,nolog,allow,ctl:ruleEngine=off"
Apache won't start after. anyone know why?
 

Scott Galambos

Well-Known Member
Jul 13, 2016
100
4
68
Canada
cPanel Access Level
Root Administrator
I'm trying to do this?
Code:
SecRule REMOTE_ADDR "^72.238.15.34$" "phase:1,id:100,nolog,allow,ctl:ruleEngine=off"
But ID:100 exist already. where do I see a list of all my ID's used or free? I simply want add a new rule and its impossible:
restartsrv_httpd[6482]: ModSecurity: Found another rule with the same id
 

cPSamuelM

Technical Analyst Team Lead
Staff member
Nov 20, 2019
196
38
103
USA
cPanel Access Level
Root Administrator
Hello @Scott Galambos

I think you will be able to add this rule by simply using a different rule ID. You can view the rules that are already loaded on the Home >> Security Center >> ModSecurity™ Tools >> Rules List page in WHM. I've attached a screenshot showing how to access this page.

Feel free to let us know if you have any additional questions, and as my colleague @cPanelSam mentioned, you are welcome to submit a ticket for further assistance.

Thanks!
 

Attachments

Scott Galambos

Well-Known Member
Jul 13, 2016
100
4
68
Canada
cPanel Access Level
Root Administrator
Are these ID's sequential? Like is their preference linear? If I want to whitelist an IP like above does my ID have to be as low as possible (eg. 1 thru say 200)? Or can I make it like 60000 and it will still whitelist?