Website is not available with enabled ModSecurity: 403 Forbidden

Created:

2016-11-16 12:53:56 UTC

Modified:

2017-05-10 02:56:48 UTC

2

Was this article helpful?


Have more questions?

Submit a request

Website is not available with enabled ModSecurity: 403 Forbidden

 

Symptoms

  1. ModSecurity is installed and enabled.
  2. When browsing website the following error is shown:
    403 - Forbidden: Access is denied error is shown. You do not have permission to view this directory or page using the credentials that you supplied.
  3. On Linux:
    The similar error like the following can be observed in /var/www/vhosts/example.com/logs/error_log:

    [Fri Apr 29 16:44:00.175711 2016] [:error] [pid 31252] [client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "387"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_56f7086726ff3][5723803c33c38][field_56f7089d26ff5]" required. [hostname "example.com.203-0-113-2.example.com"] [uri "/wp-admin/admin.php"] [unique_id "VyOBQIoQ1geo@o607dR4jwAAAAQ"]

    On Windows:
    The similar error message can be found in ModSecurity log file:

    Message: Access denied with code 403 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:blog. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: ' found within ARGS:blog: 'http://example.com/domain/folder/52104469.html'"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

Cause

  • Deprecated methods in website code, as a result, ModSecurity blocks the connection.
  • False positive detection by ModSecurity.

Resolution

  1. Investigate ModSecurity log file under Domains > example.com > Web Application Firewall > ModSecurity Log File.
  2. In case of false positive detection try to update ModSecurity rules and signatures:
    On Linux:
    # plesk sbin modsecurity_ctl --install --with-backup --enable-ruleset --ruleset tortix
  3. If steps above did not help make changes in website code so the ModSecurity does not recognise it as harmful. Or deactivate a corresponding ModSecurity rule under Domains > example.com > Web Application Firewall > Switch off security rules.
Have more questions? Submit a request

3 Comments

  • 0
    Avatar
    Tony

    It's worth noting the free Atomic list wont get this fix/update until next month, right?

    I'm having trouble using Plesk 12.5 UI to Switch off the Rule by ID.  Is the correct ID format  "[id "340465"]"?

  • 0
    Avatar
    Tony

    After updating to the $200/yr paid Atomic list this issue is resolved.  I think otherwise i would've had to wait 30 days for the free delayed updates to be deployed to me.

  • 0
    Avatar
    Lev Iurev

    @Tony issue should be fixed by running abovementioned command

Please sign in to leave a comment.