The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with mod_security default

Discussion in 'Security' started by Shadowrider, Jun 2, 2015.

  1. Shadowrider

    Shadowrider Member

    Joined:
    Jan 29, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Moss, Norway
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm seeing some issues with the default (as far as i know) install of cPanel and Mode_Security.
    The problem happens when i edit a wordpress page from the admin panel, and click update.
    If i disable the "OWASP ModSecurity Core Rule Set ", the problem is gone.
    I know i can disable the rule, but I'm trying to find out why it "kicks" to a simple post in Wordpress (latest version of all software/modules).

    Code:
    [Tue Jun 02 10:52:20.949362 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.949439 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.949503 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Rule processing failed. [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.964208 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Access denied with redirection to http://xxxxxxx.com/ using status 302 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\s+like|not\\\\s+regexp)([\\\\s'\\"`\\\\(\\\\)]*?)(?!\\\\2)([\\\\d\\\\w]+)))" at ARGS:content. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"] [line "53"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: blockquote>Hvordan found within ARGS:content: Skriv til oss om du har sp\\xc3\\xb8rsm\\xc3\\xa5l og \\xc3\\xb8nsker mer informasjon. Du er alltid velkommen til \\xc3\\xa5 ringe i v\\xc3\\xa5re \\xc3\\xa5pningstider.\\x0d\\x0a<blockquote>Hvordan kan vi hjelpe deg?</blockquote>\\x0d\\x0a[contact-form-7 id=\\x2281\\x22 title=\\x22Kontaktformul\\xc3\\xa4r\\x22]"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "Host: xxxxxxx.com"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.964435 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/wp-admin/post.php"] [unique_id "VW1uxFu9sKoAAA3-Um0AAAAA"]
    [Tue Jun 02 10:52:20.979105 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
    [Tue Jun 02 10:52:20.979160 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "xxxxxxx.com"] [uri "/"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
    [Tue Jun 02 10:52:20.979198 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: Rule processing failed. [hostname "xxxxxxx.com"] [uri "/"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
    [Tue Jun 02 10:52:21.367953 2015] [:error] [pid 3583] [client MY_IP] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "xxxxxxx.com"] [uri "/index.php"] [unique_id "VW1uxFu9sKoAAA3-Um4AAAAA"]
    
    
    Request:    POST /wp-admin/post.php
    Action Description:    Access denied with redirection to http://vtkl.no/ using status 302 (phase 2).
    Justification:    Pattern match "(?i:([\\s'\"`\\(\\)]*?)([\\d\\w]++)([\\s'\"`\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\\(\\)]*?)\\2|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\\(\\)]*?)(?!\\2)([\\d\\w]+)))" at ARGS:content.
    
    
     

    Attached Files:

    #1 Shadowrider, Jun 2, 2015
    Last edited by a moderator: Jun 2, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page