Articles in this section

See more

Website on a Plesk server is not available with enabled ModSecurity: 403 Forbidden

Avatar
Alexandr Shadrin
Updated
Follow

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

  1. ModSecurity is installed and enabled.
  2. When browsing website the following error is shown:

    CONFIG_TEXT: 403 - Forbidden: Access is denied error is shown. You do not have permission to view this directory or page using the credentials that you supplied.

  3. On Linux:
    The similar error like the following can be observed in /var/www/vhosts/example.com/logs/error_log:

    CONFIG_TEXT: [:error] [pid 31252] [client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "387"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_56f7086726ff3][5723803c33c38][field_56f7089d26ff5]" required. [hostname "example.com.203-0-113-2.example.com"] [uri "/wp-admin/admin.php"] [unique_id "VyOBQIoQ1geo@o607dR4jwAAAAQ"]

    On Windows:
    The similar error message can be found in ModSecurity log files:

    CONFIG_TEXT: Message: Access denied with code 403 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:blog. [file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: ' found within ARGS:blog: 'http://example.com/domain/folder/52104469.html'"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

Cause

  • Deprecated methods in website code, as a result, ModSecurity blocks the connection.
  • False positive detection by ModSecurity.

Resolution

  1. Investigate ModSecurity log file under Domains > example.com > Web Application Firewall > ModSecurity Log File.
  2. If the blocked queries are the valid one and detection is false positive, disable the rile by ID as described in the following article:
    How to disable a single ModSecurity rule for a website?

Note: Rule ID can be identified from the log files, in the example provided in this article the rules ID are 340465 and 981318.

Comments

3 comments

Sort by Date Votes
  • Avatar
    Tony

    It's worth noting the free Atomic list wont get this fix/update until next month, right?

    I'm having trouble using Plesk 12.5 UI to Switch off the Rule by ID.  Is the correct ID format  "[id "340465"]"?

    0
    Permalink
  • Avatar
    Tony

    After updating to the $200/yr paid Atomic list this issue is resolved.  I think otherwise i would've had to wait 30 days for the free delayed updates to be deployed to me.

    0
    Permalink
  • Avatar
    Lev Iurev

    @Tony issue should be fixed by running abovementioned command

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles