Symptoms
- ModSecurity is installed and enabled.
- When browsing website the following error is shown:
403 - Forbidden: Access is denied error is shown. You do not have permission to view this directory or page using the credentials that you supplied.
-
On Linux:
The similar error like the following can be observed in/var/www/vhosts/example.com/logs/error_log
:[Fri Apr 29 16:44:00.175711 2016] [:error] [pid 31252] [client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "387"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_56f7086726ff3][5723803c33c38][field_56f7089d26ff5]" required. [hostname "example.com.203-0-113-2.example.com"] [uri "/wp-admin/admin.php"] [unique_id "VyOBQIoQ1geo@o607dR4jwAAAAQ"]
On Windows:
The similar error message can be found in ModSecurity log file:Message: Access denied with code 403 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:blog. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: ' found within ARGS:blog: 'http://example.com/domain/folder/52104469.html'"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Cause
- Deprecated methods in website code, as a result, ModSecurity blocks the connection.
- False positive detection by ModSecurity.
Resolution
- Investigate ModSecurity log file under Domains > example.com > Web Application Firewall > ModSecurity Log File.
- In case of false positive detection try to update ModSecurity rules and signatures:
On Linux:
# plesk sbin modsecurity_ctl --install --with-backup --enable-ruleset --ruleset tortix
- If steps above did not help make changes in website code so the ModSecurity does not recognise it as harmful. Or deactivate a corresponding ModSecurity rule under Domains > example.com > Web Application Firewall > Switch off security rules.
Comments
3 comments
It's worth noting the free Atomic list wont get this fix/update until next month, right?
I'm having trouble using Plesk 12.5 UI to Switch off the Rule by ID. Is the correct ID format "[id "340465"]"?
After updating to the $200/yr paid Atomic list this issue is resolved. I think otherwise i would've had to wait 30 days for the free delayed updates to be deployed to me.
@Tony issue should be fixed by running abovementioned command
Please sign in to leave a comment.