Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Problem with mod_security default

Discussion in 'Security' started by Shadowrider, Jun 2, 2015.

  1. Shadowrider

    Shadowrider Member

    Joined:
    Jan 29, 2015
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Moss, Norway
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm seeing some issues with the default (as far as i know) install of cPanel and Mode_Security.
    The problem happens when i edit a wordpress page from the admin panel, and click update.
    If i disable the "OWASP ModSecurity Core Rule Set ", the problem is gone.
    I know i can disable the rule, but I'm trying to find out why it "kicks" to a simple post in Wordpress (latest version of all software/modules).

    Code:
    [Tue Jun 02 10:52:20.949362 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.949439 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.949503 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Rule processing failed. [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.964208 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Access denied with redirection to http://xxxxxxx.com/ using status 302 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\s+like|not\\\\s+regexp)([\\\\s'\\"`\\\\(\\\\)]*?)(?!\\\\2)([\\\\d\\\\w]+)))" at ARGS:content. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"] [line "53"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: blockquote>Hvordan found within ARGS:content: Skriv til oss om du har sp\\xc3\\xb8rsm\\xc3\\xa5l og \\xc3\\xb8nsker mer informasjon. Du er alltid velkommen til \\xc3\\xa5 ringe i v\\xc3\\xa5re \\xc3\\xa5pningstider.\\x0d\\x0a<blockquote>Hvordan kan vi hjelpe deg?</blockquote>\\x0d\\x0a[contact-form-7 id=\\x2281\\x22 title=\\x22Kontaktformul\\xc3\\xa4r\\x22]"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "Host: xxxxxxx.com"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.964435 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.979105 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
    [Tue Jun 02 10:52:20.979160 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
    [Tue Jun 02 10:52:20.979198 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Rule processing failed. [hostname "xxxxxxx.com"] [uri "/"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
    [Tue Jun 02 10:52:21.367953 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/index.php"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
    
    
    Request:    POST /wp-admin/post.php
    Action Description:    Access denied with redirection to http://vtkl.no/ using status 302 (phase 2).
    Justification:    Pattern match "(?i:([\\s'\"`\\(\\)]*?)([\\d\\w]++)([\\s'\"`\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\\(\\)]*?)\\2|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\\(\\)]*?)(?!\\2)([\\d\\w]+)))" at ARGS:content.
    
    
     

    Attached Files:

    #1 Shadowrider, Jun 2, 2015
    Last edited by a moderator: Jun 2, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,660
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice