SOLVED Posting the word "get" in forms results in 403 error on Passenger website

Operating System & Version
linux
cPanel & WHM Version
cPanel 102.0 (build 26)

Fabius

Member
May 11, 2022
14
3
3
UK
cPanel Access Level
Website Owner
I have a Django (python) website that's working fine using Passenger. All good!

Except for one very strange thing - if I have a form with a textarea and I submit text like this:

Code:
test
get test
then I get a 403 Forbidden error. To generate the error:

  • The form can use GET or POST method
  • The word "get" must start a new line, but not the first one
  • The word "get" must be followed by a space (and optionally more text)
  • The word "get" can be replaced by any other HTTP method name, in any case ("POST", "Put", etc)
  • The form can just be a GET form to its own URL, on a static page, so it's not being processed by Django
  • In fact I don't even need the form itself - I can append this query string to any URL to generate the error: ?test=foo%0D%0Aget+foo

I'm very puzzled! It means I can't input any lines in any textarea that starts with an HTTP method name. Bizarre.

I feel this must be something that Passenger is catching something it thinks is problematic but I've no idea how to stop it.
 

Fabius

Member
May 11, 2022
14
3
3
UK
cPanel Access Level
Website Owner
Hi! Yes, ModSecurity appears to be enabled for this domain. Here's a line from the logs from when I added that query string:

Code:
92.41.4.241 - - [03/Feb/2023:06:47:57 -0500] "GET /?test=foo%0D%0Aget+foo HTTP/2.0" 403 543 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15"
 

Fabius

Member
May 11, 2022
14
3
3
UK
cPanel Access Level
Website Owner
Yes, turning off ModSecurity means it works!

So, why is that? Is there a way to enable ModSecurity without it doing... whatever it is it's doing here?
 

quietFinn

Well-Known Member
Feb 4, 2006
2,019
540
493
Finland
cPanel Access Level
Root Administrator
You can find the rule id in ModSecurity log (/etc/apache2/logs/modsec_audit.log), and then add an exception to disable that rule for the domain in question.
I use ConfigServer ModSecurity Control for that.
 
  • Like
Reactions: cPRex

Fabius

Member
May 11, 2022
14
3
3
UK
cPanel Access Level
Website Owner
My server doesn't have a /etc/apache2/logs/modsec_audit.log.

/etc/apache2/logs leads to /usr/local/apache/domlogs but I don't have permission to see what's in there.
 

quietFinn

Well-Known Member
Feb 4, 2006
2,019
540
493
Finland
cPanel Access Level
Root Administrator
You need root access to be able to see that file.
 

Fabius

Member
May 11, 2022
14
3
3
UK
cPanel Access Level
Website Owner
Thanks both. I got in touch with the hosting service and they were able to look in the logs and disable the offending rule. It now all works!

The only downside is they didn't tell us what the rule was, so we'll never know.