ModSecurity request body on tmp not cleaned

Operating System & Version
CloudLinux 7.9
cPanel & WHM Version
11.90.0.16

manoaratefy

Active Member
Nov 17, 2018
33
3
8
Madagascar
cPanel Access Level
Root Administrator
Hello,

I have an issue with ModSecurity. Request body and file temporary file on /tmp isn't completely cleared, so I have to clean up very regularly /tmp to avoid it filling up all my disks. Would you know why it have this strange comportment?

On the apache log, I found only this as relevant:
ModSecurity: Warning. Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "27"] [id "210230"] [rev "2"] [msg "COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.||xxxxxxxx.com|F|2"] [data "Multipart parsing error: Multipart: writing to \\x22/tmp/[email protected]
66X\\x22 failed"] [severity "CRITICAL"] [tag "CWAF"] [tag "Protocol"] [hostname "xxxxxxxx.com"] [uri "/wp-json/wp/v2/media"] [unique_id "[email protected]
sxrleqn8PvgAAAc0"], referer: https://xxxxxxxx.com/wp-admin/post-new.php

But I don't know how to interpret this.

Thanks in advance.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
715
97
153
cPanel Access Level
Root Administrator
Hey hey! I don't think that specific ModSecurity entry is related to the issue with /tmp. It seems like that is just normal processing of ModSecurity and it happened to experience an error, but I don't think that shows us the root of the problem.

Can you run this command on the server and let me know the output:

Code:
grep SecDataDir /etc/apache2/conf.d/modsec/modsec2.cpanel.conf
That may let us know what the issue could be, or at least point us in the right direction.