Jump to content
claudedagenais

[Solved] ModSecurity

Recommended Posts

claudedagenais

Hi,

I'm getting more and more in trouble with ModSecurity & Pagelines. For the longest time I've not been able to make any change to the Pagelines back end Settings without turning off ModSecurity and turning it back on when I was done with my changes. If, when saving, I was getting a 404 & the changes were not saved. Since I do not change the Pagelines Settings often, I decided to live with it. But since yesterday, I have sites that won't let us save in the front end editor if ModSecurity is on. 

I'm guessing it a configuration of ModSecurity that is causing the problem, but on my end I can only turn it on or off. If a change of rules needs to be done, I have to request it to my hosting company. So I have to tell them what they need to change. Can you help me with that?

Tx

Claude

Edited by claudedagenais (see edit history)

Share this post


Link to post
Share on other sites
Simon

We dont have any servers with mod security to test.

If I remember from the last time I used it, 10 years ago or so.. Whenever it blocks anything it outputs to an audit.log, it always logs the rule that triggered the block.

Depending on how the server is setup, you can then whitelist certain rules for certain conditions.

Share this post


Link to post
Share on other sites
claudedagenais

Thanks, I'll ask if that files exist since I can't see it.

Share this post


Link to post
Share on other sites
Simon
20 hours ago, claudedagenais said:

Thanks, I'll ask if that files exist since I can't see it.

No its a server file, be in the /var/log/ folder, you wont have access to it on any shared server.

If its cpanel/WHM sometimes the log is available in the panel somewhere.

Share this post


Link to post
Share on other sites
claudedagenais

Ui, Yep I know I'm in discussion with my hosting company. Since we are using VPSs we have no access to the Root account, but if I can get the time I can generate the error(s) and they will send me the error_log file available under /usr/local/apache/logs so that I can see what error(s) is(are) generated. Then I can take it with them to get the rules that are causing the problem out.

Are you interested in getting the results as well?

Share this post


Link to post
Share on other sites
Simon

The idea of a virtual private server is that you have full controll and root access, i dont understand how you have a vps and no access? That makes no sense at all.

Share this post


Link to post
Share on other sites
claudedagenais

Yep, well... not there... but I do get great services by my supplier and they will help. So want can I say.

Again, is it of any interest to you to get the results?

Share this post


Link to post
Share on other sites
Simon

Sure, if its useful we can always add it to the FAQ page.

Share this post


Link to post
Share on other sites
claudedagenais

Ok so here we go:

The first error is present if I try to change something in the backend portion of PageLines setting. When I'm trying to save the changes, I get a 404 page. Here is the error: 

[Tue Jan 10 10:01:59.510982 2017] [:error] [pid 829844:tid 140716822992640] 
[client 192.81.14.2] ModSecurity: Access denied with code 403 (phase 2). Match 
of "contains google_ad" against "MATCHED_VAR" required. [file 
"/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/07_XSS_XSS.con
f"] [line "14"] [id "212000"] [rev "1"] [msg "COMODO WAF: XSS Filter - Category 1: 
Script Tag Vector||cliniqueck.com|F|2"] [data "Matched Data: <script 
type=\\x22text/javascript\\x22 language=\\x22JavaScript\\x22><!--
\\x0d\\x0afunction HideContent(d) {\\x0d\\x0aif(d.length < 1) { return; 
}\\x0d\\x0adocument.getElementById(d).style.display = 
\\x22none\\x22;\\x0d\\x0a}\\x0d\\x0afunction ShowContent(d) 
{\\x0d\\x0aif(d.length < 1) { return; 
}\\x0d\\x0adocument.getElementById(d).style.display = 
\\x22block\\x22;\\x0d\\x0a}\\x0d\\x0afunction ReverseContentDisplay(d) 
{\\x0d\\x0aif(d.length < 1) { return; 
}\\x0d\\x0aif(document.getElementById(d).style.display == \\x22non..."] [severity 
"CRITICAL"] [hostname "cliniqueck.com"] [uri "/wp-admin/admin-post.php"] 
[unique_id "WHT3Z7hrXyAADKmURoYAAAKM"]

They identified this as ModSecurity rule 212000 

The second one (by the way this is new to our knowledge) is when we try to change something in the front end. When we clic SAVE the saving process never finishes:

[Tue Jan 10 10:02:23.035855 2017] [:error] [pid 829874:tid 140716833482496] 
[client 192.81.14.2] ModSecurity: Access denied with code 403 (phase 2). Matched 
phrase "goo.gl" at ARGS:model. [file 
"/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/03_Global_Doma
ins.conf"] [line "23"] [id "210920"] [rev "2"] [msg "COMODO WAF: Malicious site 
name found in request||cliniqueck.com|F|2"] [data "https:/"] [severity "CRITICAL"] 
[hostname "cliniqueck.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id 
"WHT3frhrXyAADKmyOXwAAAML"]

 They identified this as ModSecurity rule 210920

 

Hope this helps

Share this post


Link to post
Share on other sites
claudedagenais

No for the Google Adverts

This problem is solid and present with all Pagelines implementation we have.

I'm hosted with Funio a Montreal Quebec Canada based company.

See the description of what I did to recreate the problems, you will see that somehow it is Pagelines doing this.

Sincerely

Just to add the only Google technology in there is the Map section, Analytics me think

Just to add some more... The first error has been present for months now, the second one is more recent, probably last fee weeks - before Christmas.

Edited by claudedagenais
Just to add... (see edit history)

Share this post


Link to post
Share on other sites
Simon

No code from Platform5 or any extension or theme has the string goo.gl which is matched in your 2nd log.

The code in the 1st log: function HideContent(d) also not found in any PageLines code. 

The only reference I could find for that code is some old css blog: http://www.willmaster.com/blog/css/show-hide-div-layer.php

 

Share this post


Link to post
Share on other sites
claudedagenais

Wow we have a mystery then because this is generated when I'm trying to save changes in Pagelines back and front ends.

I do have 27 plugins in there (13 from Pagelines)...

So what I did is go an install  I could play with and only left Wordpress, PageLines Platform 5 & Framework to see if I can save in the backend. Guess what... I have the same problem as #1.  So I don't know... It doesn't leave many other possibilities. So this is really a mystery...

Since I know what rules to get rid my problem is solved, but I don't know...

 

Share this post


Link to post
Share on other sites
Simon

Actually, looking at your page source I can actually see the javascript that is causing the 1st error.

Image 2017-01-11 at 12.52.07 am.png

Share this post


Link to post
Share on other sites
claudedagenais
56 minutes ago, Simon said:

You should be able to disable rules, as long as the host has that option compiled into mod_sec

http://wiki.atomicorp.com/wiki/index.php/Mod_security#Disabling_rules_using_.htaccess

Have you tried disabling modsec with htaccess?


<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

 

No I did not. I can in cPanel turn off and on ModSec. And now my hosting company has turn off the 2 offending rules for the domains I've asked them.

Share this post


Link to post
Share on other sites
claudedagenais
59 minutes ago, Simon said:

Actually, looking at your page source I can actually see the javascript that is causing the 1st error.

Image 2017-01-11 at 12.52.07 am.png

OK but that is not my stuff. This is part of the child theme stuff that you have produced, no?

Edited by claudedagenais (see edit history)

Share this post


Link to post
Share on other sites
Simon
24 minutes ago, claudedagenais said:

OK but that is not my stuff. This is part of the child theme stuff that you have produced, no?

No, nothing to do with us.

Thats javascript, we use jQuery.

Share this post


Link to post
Share on other sites
claudedagenais

I've been doing some digging and I can find this code anywhere in a local mirror of that site.

And again with a site with only Wordpress, PageLines Platform 5 & Framework active I still have the problem. Thursday i'll try to reproduce this with a clean install with just Platform & Framework.

I'll also clean up my child theme. But if you have an idea, I'm all ears.

7 minutes ago, Simon said:

No, nothing to do with us.

Thats javascript, we use jQuery.

How can it be in all of my sites that have Platform? 

Edited by claudedagenais (see edit history)

Share this post


Link to post
Share on other sites
claudedagenais

Bingo!

For some reason I had a old child theme that was a derivate of the PageLines.com Framework Child Theme that I was using as a base for my child theme for all my projects. Looking into it I realized that it was way to complicated for what I really need. So a created a new one from scratch with just the basic stuff in the function.php that I need in all my project and it works. So I will have to go back to all my previous project, change the child theme and I believe it will solve the problem.

Thank you Simon for your patience with me. You can close this.

  • Like 1

Share this post


Link to post
Share on other sites
claudedagenais

Well I was thinking I was done, but no. Nut this time I know what is causing the problem if you want to share:

I am still getting a 404 when saving the setting page in the backend on a website I'm working on. So I asked for the error log. This is what I got:

[Thu Jan 12 16:52:07.588856 2017] [:error] [pid 457443:tid 140110636963584] [client 192.81.14.3] ModSecurity: Access denied with code 403 (phase 2). Pattern match "image/svg\\\\+xml|text/(css|ecmascript|html|javascript|vbscript|x-(javascript|scriptlet|vbscript)).|.application/x-shockwave-flash" at ARGS:pl_platform_settings[font_extra]. [file "/usr/local/apache/conf/modsec_vendor_configs/comodo_apache/07_XSS_XSS.conf"] [line "221"] [id "212740"] [rev "3"] [msg "COMODO WAF: XSS Attack Detected||cliniqueck.com|F|2"] [data "Matched Data: text/css' found within ARGS:pl_platform_settings[font_extra]: <link href='https://fonts.googleapis.com/css?family=lato:400,900,300,700' rel='stylesheet' type='text/css'>\\x0d\\x0a<link href='https://fonts.googleapis.com/css?family=cinzel:400,700,900' rel='stylesheet' type='text/css'>\\x0d\\x0a<link href='https://fonts.googleapis.com/css?family=roboto:400,100,300,500,700,900' rel='stylesheet' type='text/css'>"] [severity "CRITICAL"] [hostname "cliniqueck.com"] [uri "/wp-admin/admin-post.php"] [unique_id "WHf6h7hrXyAABvrjm2kAAASX"]

So I went in my setting in the Typography and remove the links to google fonts that looks like: 

<link href='https://fonts.googleapis.com/css?family=Lato:400,900,300,700' rel='stylesheet' type='text/css'>
<link href='https://fonts.googleapis.com/css?family=Cinzel:400,700,900' rel='stylesheet' type='text/css'>
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,300,500,700,900' rel='stylesheet' type='text/css'>

Now I don't get a 404 when trying to save anymore...

So I guess that trying to save settings while Google Fonts are included can trigger ModSecurity... 

Edited by claudedagenais (see edit history)

Share this post


Link to post
Share on other sites
Simon

Seems to with that set of custom rules.

Did the host say whether you can disable rules with htaccess or not?

Share this post


Link to post
Share on other sites
claudedagenais

I didn't ask to be honest.

Now that I'm testing I'm seeing that this one error (212740) is the most common between all my sites. So I'm thinking that I will try to include the Google fonts some other way to avoid it.

By the way, if I turn off ModSecurity and save the changes in the settings, and turn ModSecurity back on, I have access to the Google Fonts and the site works normally. So the problem is just saving the settings in PageLines. Something upset ModSecurity when you have Google Fonts in there and you save.

Share this post


Link to post
Share on other sites
claudedagenais

If you would like I can setup an environment so that you can test it tomorrow.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×