Mod Security issues

[konlungkao]

Some Host enable ModSecurity Rule
https://github.com/SpiderLabs/owasp-modsecurity-crs

Can't save or Close on edit content
show 403
Forbidden

You don't have permission to access /administrator/index.php on this server.

error log

Code: Select all

[Thu Oct 23 08:04:13 2014] [error] [client 10.211.55.2] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\b([\\\\d\\\\w]++)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2\\\\b|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not ..." at ARGS:jform[articletext]. [file "/usr/local/apache/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: p>sss found within ARGS:jform[articletext]: 
sss

"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "user3.com"] [uri "/administrator/index.php"] [unique_id "VEjuvX8AAAEAACq27rsAAAAD"]

How to fix it

[leolam]

You cannot on server level if you have no server root access and WHM. Your host can in such case disable the rule for your domain. If you have root-access you can install Configserver Modsecuritycontrol http://www.configserver.com/cp/cmc.html . With that module you can disable rules either globally or per domain.

Alternatively you can disable that rule in your htaccess. More on that you will find https://www.google.com/search?q=disable ... n+htaccess

I strongly advise NOT to disable mod_security itself with htaccess. That will give you loads of security breaches

Leo