Problem with mod_security default

Shadowrider

Member
Jan 29, 2015
14
0
1
Moss, Norway
cPanel Access Level
Root Administrator
Hi,

I'm seeing some issues with the default (as far as i know) install of cPanel and Mode_Security.
The problem happens when i edit a wordpress page from the admin panel, and click update.
If i disable the "OWASP ModSecurity Core Rule Set ", the problem is gone.
I know i can disable the rule, but I'm trying to find out why it "kicks" to a simple post in Wordpress (latest version of all software/modules).

Code:
[Tue Jun 02 10:52:20.949362 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
[Tue Jun 02 10:52:20.949439 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
[Tue Jun 02 10:52:20.949503 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Rule processing failed. [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
[Tue Jun 02 10:52:20.964208 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Access denied with redirection to http://xxxxxxx.com/ using status 302 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\s+like|not\\\\s+regexp)([\\\\s'\\"`\\\\(\\\\)]*?)(?!\\\\2)([\\\\d\\\\w]+)))" at ARGS:content. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"] [line "53"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: blockquote>Hvordan found within ARGS:content: Skriv til oss om du har sp\\xc3\\xb8rsm\\xc3\\xa5l og \\xc3\\xb8nsker mer informasjon. Du er alltid velkommen til \\xc3\\xa5 ringe i v\\xc3\\xa5re \\xc3\\xa5pningstider.\\x0d\\x0a<blockquote>Hvordan kan vi hjelpe deg?</blockquote>\\x0d\\x0a[contact-form-7 id=\\x2281\\x22 title=\\x22Kontaktformul\\xc3\\xa4r\\x22]"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "Host: xxxxxxx.com"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
[Tue Jun 02 10:52:20.964435 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
[Tue Jun 02 10:52:20.979105 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
[Tue Jun 02 10:52:20.979160 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
[Tue Jun 02 10:52:20.979198 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Rule processing failed. [hostname "xxxxxxx.com"] [uri "/"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
[Tue Jun 02 10:52:21.367953 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/index.php"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]


Request:    POST /wp-admin/post.php
Action Description:    Access denied with redirection to http://vtkl.no/ using status 302 (phase 2).
Justification:    Pattern match "(?i:([\\s'\"`\\(\\)]*?)([\\d\\w]++)([\\s'\"`\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\\(\\)]*?)\\2|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\\(\\)]*?)(?!\\2)([\\d\\w]+)))" at ARGS:content.
 

Attachments

Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463