- Posts: 2
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
mod_security issue
- oldgit
- Topic Author
- Offline
- New Member
Less
More
10 years 2 months ago #104396
by oldgit
mod_security issue was created by oldgit
I have just been creating a survey and have noticed that it has generated a large number of notifications from mod_security on my server. Luckily, I have my IP address whitelisted so I am not locked out. I am using the latest update of LimeSurvey and a pretty standard rule set on mod_sec.
One example of the notice follows...
One example of the notice follows...
Code:
[Sun Feb 02 14:32:19 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.my-domain.net"] [uri "/third_party/jquery-cookie/jquery.cookie.js"] [unique_id "Uu5W89XlWkcAAFrjdzsAAAAI"]
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13597
- Thank you received: 2487
10 years 2 months ago #104483
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic mod_security issue
Hi,
Did you use "Adanced setting"/ timer settings ?
If yes: can you deactivate it and test again ?
Denis
Did you use "Adanced setting"/ timer settings ?
If yes: can you deactivate it and test again ?
Denis
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- oldgit
- Topic Author
- Offline
- New Member
Less
More
- Posts: 2
- Thank you received: 0
10 years 2 months ago #104508
by oldgit
Thanks, Denis, for your response. I'm not sure where I would find these settings. Are they in mod_sec or LimeSurvey's admin area? Anyway, I have disabled that rule for this subdomain as I was getting just too many false positives.
Thanks again...
Replied by oldgit on topic mod_security issue
DenisChenu wrote: Hi,
Did you use "Adanced setting"/ timer settings ?
Denis
Thanks, Denis, for your response. I'm not sure where I would find these settings. Are they in mod_sec or LimeSurvey's admin area? Anyway, I have disabled that rule for this subdomain as I was getting just too many false positives.
Thanks again...
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13597
- Thank you received: 2487
10 years 2 months ago #104612
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic mod_security issue
Hi,
It's because i don't think we use /third_party/jquery-cookie/jquery.cookie.js in all survey.
Just need to find : when we use it and if it's with the last Yii version.
Maybe you can put a bug rem=port with a "really" little survey ?
It's because i don't think we use /third_party/jquery-cookie/jquery.cookie.js in all survey.
Just need to find : when we use it and if it's with the last Yii version.
Maybe you can put a bug rem=port with a "really" little survey ?
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- jelo
- Offline
- Platinum Member
Less
More
- Posts: 5033
- Thank you received: 1257
10 years 1 month ago - 9 years 10 months ago #106337
by jelo
This ModSecure Rule [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] is also triggered when just using the comfort updater.
It's not a problem of Limesurvey. The corerules ( spiderlabs.github.io/owasp-modsecurity-crs/ ) are containing this rule since years.
Perhaps the regex pattern is too broad or the jquery team would need to adapt some code.
Perhaps both are right and the administrator need to choose the rules casewise.
There are a few ways to disable rules. www.modsecurity.org/documentation/
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Replied by jelo on topic mod_security issue
DenisChenu wrote: Hi,
It's because i don't think we use /third_party/jquery-cookie/jquery.cookie.js in all survey.
This ModSecure Rule [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] is also triggered when just using the comfort updater.
It's not a problem of Limesurvey. The corerules ( spiderlabs.github.io/owasp-modsecurity-crs/ ) are containing this rule since years.
Perhaps the regex pattern is too broad or the jquery team would need to adapt some code.
Perhaps both are right and the administrator need to choose the rules casewise.
Code:
<LocationMatch /third_party/jquery-cookie/jquery.cookie.js> <IfModule mod_security2.c> SecRuleRemoveById 1234123404 # SecRuleEngine Off </IfModule> </LocationMatch>
There are a few ways to disable rules. www.modsecurity.org/documentation/
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Last edit: 9 years 10 months ago by c_schmitz.
The topic has been locked.
- elbaloo
- Offline
- New Member
Less
More
- Posts: 1
- Thank you received: 0
9 years 10 months ago #109116
by elbaloo
Replied by elbaloo on topic mod_security issue
I'm not sure of following... so, just to be sure:
Is this an issue with LimeSurvey, with jQuery, or just with very strict rulesets?
I'm asking because my hosting provider blocked some IPs from where I was accessing the application and after submitted a support ticket they told me that they "relaxed the rule for the domain that was causing the issue" (mine).
Is this an issue with LimeSurvey, with jQuery, or just with very strict rulesets?
I'm asking because my hosting provider blocked some IPs from where I was accessing the application and after submitted a support ticket they told me that they "relaxed the rule for the domain that was causing the issue" (mine).
The topic has been locked.
- jelo
- Offline
- Platinum Member
Less
More
- Posts: 5033
- Thank you received: 1257
9 years 10 months ago #109118
by jelo
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Replied by jelo on topic mod_security issue
The rule was disabled for your domain. My example above only disables the rule for the path of jquery. If you are on a shared hosting it is normal to disable the rule domain/account wise.
It is a false positive with this specific mod_security rule.
It is a false positive with this specific mod_security rule.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
- first
- Offline
- Elite Member
Less
More
- Posts: 227
- Thank you received: 36
6 years 2 months ago #164021
by first
Survey Designer and Programmer
Replied by first on topic mod_security issue
HI jelo - Do you think the 406 response code I am getting is related to this topic? If so I will chase hosting team.
www.limesurvey.org/forum/can-i-do-this-w...to-r?start=15#164018
www.limesurvey.org/forum/can-i-do-this-w...to-r?start=15#164018
Survey Designer and Programmer
The topic has been locked.