Recieving mod_security errors when saving article Topic is solved

[maestroc]

We are hosting on Dreamhost. All of the checks were green when we upgraded from J4 to 5. Running PHP 8.1.25 and SQL 8.0.28 on J5.0.1

Most articles save just fine but for a couple of them whenever we hit save, save and close, or even just close from the editor window we get a 500 error. In the system error log we get these that are being caught when we try to save the article to the database. I have looked in the HTML code for the article and there are no strange characters, etc. that I can see. Any ideas what is going on?

[Sun Dec 24 16:50:37.674914 2023] [:error] [pid 204493:tid 126535228712704] [client 123.82.30.187:3289] [client 123.82.30.187] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at ARGS:jform[articletext]. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "53"] [id "921110"] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: get there.</p>\\x0d found within ARGS:jform[articletext]: <p>you are planning to write a memoir, a business book, or another work of nonfiction. a good idea is a good first step, but where do you go from there?</p>\\x0d\\x0a<p>my team and i are here to help guide you in how to write a manuscript and how to become an author.</p>\\x0d\\x0a<h2>manuscript writing</h2>\\x0d\\x0a<p>i have guided numerous writers to bring their ideas to light and can help you too. i will lead you to a clear understanding..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "parano [hostname "www.xxxxx.com"] [uri "/administrator/index.php"] [unique_id "ZYjR3VVVUuJbMY@d0KZzkQAAAHU"], referer: https://www.xxxxx.com/administrator/ind ... =edit&id=7
[Sun Dec 24 16:50:37.675903 2023] [:error] [pid 204493:tid 126535228712704] [client 123.82.30.187:3289] [client 123.82.30.187] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at REQUEST_BODY. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "53"] [id "921110"] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: get there.</p>\\x0d found within REQUEST_BODY: jform[title]=manuscript development&jform[alias]=manuscript-development&jform[articletext]=<p>you are planning to write a memoir, a business book, or another work of nonfiction. a good idea is a good first step, but where do you go from there?</p>\\x0d\\x0a<p>my team and i are here to help guide you in how to write a manuscript and how to become an author.</p>\\x0d\\x0a<h2>manuscript writing</h2>\\x0d\\x0a<p>i have guided numerous writers to bring the..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1" [hostname "www.xxxx.com"] [uri "/administrator/index.php"] [unique_id "ZYjR3VVVUuJbMY@d0KZzkQAAAHU"], referer: https://www.xxxx.com/administrator/inde ... =edit&id=7
[Sun Dec 24 16:50:37.711086 2023] [:error] [pid 204493:tid 126535228712704] [client 123.82.30.187:3289] [client 123.82.30.187] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.xxxx.com"] [uri "/administrator/index.php"] [unique_id "ZYjR3VVVUuJbMY@d0KZzkQAAAHU"], referer: https://www.xxxx.com/administrator/inde ... =edit&id=7

[toivo]

How were those articles created? Were they originally for example in Word format?

[msg "HTTP Request Smuggling Attack"] [data "Matched Data: get there.</p>\\x0d found within ARGS:jform[articletext]

The ModSecurity rule reacts to the hexadecimal 0D and 0A, the conventional Carriage Return and Line Feed characters (CR/LF) in the ASCII code table.

I have looked in the HTML code for the article and there are no strange characters, etc. that I can see.

CR/LF characters are not HTML. The normal tags like <p> and <br> should be used instead.

[maestroc]

Yes, probably. The original poster of the article likes to work in Word

I should clarify, when I view the code in the JCE editor window it only showed the p and br tags. I didn't see any of the hex characters in there. I had JCE do a code cleanup on the article text. Not sure if that helped or not because overnight apparently my host changed their ruleset so that supposedly the problem will not be a problem any more.

Thank you for your insight into this.

[Webdongle]

When you copy from word (or websites etc.) best paste into Notepad++ then copy and paste into an Article. https://notepad-plus-plus.org/downloads/

[leolam]

Ask Dreamhost to disable id "921110" and '949110' for your site.. The issue will be resolved with that (they should be able to disable it for specific sites and id's) [assuming they have like we have mod_security_control installed see https://configserver.com/configserver-m ... y-control/]

Leo