Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
- ModSecurity is installed and enabled.
- When browsing website the following error is shown:
CONFIG_TEXT: 403 - Forbidden: Access is denied error is shown. You do not have permission to view this directory or page using the credentials that you supplied.
-
On Linux:
The similar error like the following can be observed in/var/www/vhosts/example.com/logs/error_log:CONFIG_TEXT: [:error] [pid 31252] [client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "387"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_56f7086726ff3][5723803c33c38][field_56f7089d26ff5]" required. [hostname "example.com.203-0-113-2.example.com"] [uri "/wp-admin/admin.php"] [unique_id "VyOBQIoQ1geo@o607dR4jwAAAAQ"]
On Windows:
The similar error message can be found in ModSecurity log files:CONFIG_TEXT: Message: Access denied with code 403 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:blog. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: ' found within ARGS:blog: 'http://example.com/domain/folder/52104469.html'"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Cause
- Deprecated methods in website code, as a result, ModSecurity blocks the connection.
- False positive detection by ModSecurity.
Resolution
- Investigate ModSecurity log file under Domains > example.com > Web Application Firewall > ModSecurity Log File, search for the website name and for the records similar to the ones shown above.
Note: in the examples above (in Symptoms section) rules ID are marked as bold.
- Disable the rule by ID as described in the following article:
How to disable a single ModSecurity rule for a website?
Note: Rule ID can be identified from the log files, in the example provided in this article the rules ID are 340465 and 981318.
Comments
3 comments
It's worth noting the free Atomic list wont get this fix/update until next month, right?
I'm having trouble using Plesk 12.5 UI to Switch off the Rule by ID. Is the correct ID format "[id "340465"]"?
After updating to the $200/yr paid Atomic list this issue is resolved. I think otherwise i would've had to wait 30 days for the free delayed updates to be deployed to me.
@Tony issue should be fixed by running abovementioned command
Please sign in to leave a comment.