Welcome, Guest
Username: Password: Remember me

TOPIC: mod_security issue

mod_security issue 2 months 3 weeks ago #104396

  • oldgit
  • oldgit's Avatar
  • OFFLINE
  • Fresh Lemon
  • Posts: 2
  • Karma: 0
I have just been creating a survey and have noticed that it has generated a large number of notifications from mod_security on my server. Luckily, I have my IP address whitelisted so I am not locked out. I am using the latest update of LimeSurvey and a pretty standard rule set on mod_sec.

One example of the notice follows...
[Sun Feb 02 14:32:19 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.my-domain.net"] [uri "/third_party/jquery-cookie/jquery.cookie.js"] [unique_id "Uu5W89XlWkcAAFrjdzsAAAAI"]
The administrator has disabled public write access.

mod_security issue 2 months 2 weeks ago #104483

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 5869
  • Thank you received: 719
  • Karma: 223
Hi,

Did you use "Adanced setting"/ timer settings ?
If yes: can you deactivate it and test again ?

Denis
The administrator has disabled public write access.

mod_security issue 2 months 2 weeks ago #104508

  • oldgit
  • oldgit's Avatar
  • OFFLINE
  • Fresh Lemon
  • Posts: 2
  • Karma: 0
DenisChenu wrote:
Hi,

Did you use "Adanced setting"/ timer settings ?

Denis

Thanks, Denis, for your response. I'm not sure where I would find these settings. Are they in mod_sec or LimeSurvey's admin area? Anyway, I have disabled that rule for this subdomain as I was getting just too many false positives.

Thanks again...
The administrator has disabled public write access.

mod_security issue 2 months 2 weeks ago #104612

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 5869
  • Thank you received: 719
  • Karma: 223
Hi,

It's because i don't think we use /third_party/jquery-cookie/jquery.cookie.js in all survey.

Just need to find : when we use it and if it's with the last Yii version.

Maybe you can put a bug rem=port with a "really" little survey ?
The administrator has disabled public write access.

mod_security issue 1 month 1 week ago #106337

  • jelo
  • jelo's Avatar
  • OFFLINE
  • Platinum Lime
  • Posts: 389
  • Thank you received: 40
  • Karma: 15
DenisChenu wrote:
Hi,
It's because i don't think we use /third_party/jquery-cookie/jquery.cookie.js in all survey.

This ModSecure Rule [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] is also triggered when just using the comfort updater.

It's not a problem for Limesurvey. The corerules ( spiderlabs.github.io/owasp-modsecurity-crs/ ) are containing this rule since years.

Perhaps the regex pattern is too broad or the jquery team would need to adapt some code.

Perhaps both are right and the administrator need to choose the rules casewise.
<LocationMatch /third_party/jquery-cookie/jquery.cookie.js>
  <IfModule mod_security2.c>
    SecRuleRemoveById 1234123404
    # SecRuleEngine Off
  </IfModule>
</LocationMatch>

There are a few ways to disable rules. www.modsecurity.org/documentation/
The administrator has disabled public write access.
Moderators: ITEd
Time to create page: 0.200 seconds
Donation Image