triggering server security rules

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
miss_d_bus
Forum Members
Forum Members
Posts: 121
Joined: Sun May 01, 2005 4:27 pm
Location: Kent, UK

triggering server security rules

Post by miss_d_bus »

I have had to move my website to a new hosting and did a fresh installation of the latest version 2.1.6 however, after a while I couldn't access my site. It kept timing out and then my fixed IP address at home blacklisted as a "known source of attacks" by atomic secured Linux.

I got onto my hosting and they provided the following info:
It looks like you have been triggering two security rules. Your code is doing two things that are not allowed.
The first is using ../../ style recursion.
The second is posting MySQLi type vars such as varchar

domain.co.uk-error_log-20170605.gz:[Sun Jun 04 20:42:05 2017] [error] [client 217.155.103.254] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "200"] [id "340006"] [rev "68"] [msg "Atomicorpcom WAF Rules: Generic Path Recursion denied in URI/ARGS"] [data "../../,ARGS:path"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "\\\\.\\\\./\\\\.\\\\./" at ARGS:path. [hostname "domain.co.uk"] [uri "/modules/TinyMCE/responsive_filemanager/filemanager/upload.php"] [unique_id "WTRijS63CHwAACz49-0AAAAj"]

domain.co.uk-error_log-20170605.gz:[Sun Jun 04 23:00:40 2017] [error] [client 217.155.103.254] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "250"] [id "340155"] [rev "25"] [msg "Atomicorp.com WAF Rules: Generic SQL Injection protection"] [data "varchar"] [severity "CRITICAL"] [tag "SQLi"] Access denied with code 403 (phase 2). Matched phrase "varchar" at ARGS:content_en. [hostname "domain.co.uk"] [uri "/admin/moduleinterface.php"] [unique_id "WTSDCC63CHwAAA6KeS0AAAAJ"]
The only thing I have done additionally is to install the module TinyMCE.
Is there any way in which I can fix this?

Many thanks
User avatar
velden
Dev Team Member
Dev Team Member
Posts: 3483
Joined: Mon Nov 28, 2011 9:29 am
Location: The Netherlands

Re: triggering server security rules

Post by velden »

Tell them you're not using WP. Then ask if they are willing to disable ModSecurity for your website.


If not ask if they are willing to loosen the security rules of ModSecurity. If not, find another host; ModSecurity probably will cause more problems for you.
wentybloke
New Member
New Member
Posts: 4
Joined: Tue Jun 28, 2016 3:41 am

Re: triggering server security rules

Post by wentybloke »

Best of luck getting your host to disable mod_security, they probably won't.

Assuming the hosting is cPanel, you should be able to see 403 Forbidden errors in the error log, which will help see what's happening a bit.

FWIW, my host (VentraIP/Zuver, who are Australian) have been very cooperative in whitelisting for CMSMS. I have never had problems logging in to the admin, but the following have had to be whitelisted:

Modifying global metadata
Any template change
Add canonical tag to template (after the previous one fixed)
Change thumbnail size in General Settings

The file browser also triggers 403 errors, but I just ignore that and use FTP instead.
miss_d_bus
Forum Members
Forum Members
Posts: 121
Joined: Sun May 01, 2005 4:27 pm
Location: Kent, UK

Re: triggering server security rules

Post by miss_d_bus »

Thank you both.
I'll get back to the hosting company and see what they say. This is damn irritating given that we have no problems with the CMS on version 1 and have used them for many years.
User avatar
DIGI3
Dev Team Member
Dev Team Member
Posts: 1609
Joined: Wed Feb 25, 2009 4:25 am
Location: Victoria, BC

Re: triggering server security rules

Post by DIGI3 »

There are certain mod_security rules that can be individually disabled by the host. I just gave my host the symptoms, and a test install, and they were able to easily find them and whitelist them. Most of the rules specifically for cmsms are for older vulnerabilities, and can safely be removed if you're up to date.

My host also gives me the ability to disable mod_security on a site-by-site basis, but ask me to only do it while developing. Works fine for me, and gives me a workaround while waiting for them to find and disable the rule.
Not getting the answer you need? CMSMS support options
Post Reply

Return to “CMSMS Core”