Login

**Dungeon-Dave** · 2011-10-07, 02:21 PM

Quote:Just to note something that will be useful for those reading this. When your apache won't restart because not knowing the servername. You'll get this error:

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.domain for ServerName

[FAILED]

You also get this if you haven't set your ServerName in the main httpd.conf - by default, it's commented out. Apache attempts to make a guess by using name resolution and in many cases fails - your editing there is improving Apache's chances of guessing right, but that's only because it was never formally told via the ServerName directive.

Note that this ServerName can be set to anything you like - it generally only gets reported in error pages, as well as becoming a name for unmatched VHOSTS.

Usually all other server config settings will override/hide this value and it rarely gets exposed in any webpages.

**inittux** · 2011-10-08, 07:11 AM

I see it now :) How I resolved it without using this, is that fine too? or is it better to change that back and then use the ServerName in httpd.conf ?

**Dungeon-Dave** · 2011-10-08, 01:00 PM

Essentially you fixed it by leaving enough clues for Apache to guess, but that relies on Apache having to expend additional effort hunting for the correct information. Using ServerName specifies it explicitly and allows Apache to start quicker.

Note that many hosting providers rely on ServerName to hide the real hostname or to separate out the identity of the Apache server from the host name - so that Apache can be moved between different platforms and still retain its identity without being tied to the underlying operating system. That's really the reason why many services (pure-ftpd, postfix, squid, etc) have a feature to establish their own identity separate from the OS.

**inittux** · 2011-10-08, 01:06 PM

Thanks for that info, that makes perfect sense :)

**inittux** · 2011-10-11, 07:42 AM

I finally got my mod_security figured out it's even too much protection if I use these rules so I have them deactivated.

I have enough protection from just the standard mod_security rules because with them activated I can't install

plugins, modules, and templates. Only need to figure out a way to whitelist my own ip from mod_security which is

possible. Now ready to start on IDS and then figure out a way to backup/restore incase I run into problems.

**Dungeon-Dave** · 2011-10-11, 01:33 PM

It *is* possible to add a rule to whitelist an IP - I did it once - but it then defeated my testing, since my rule meant everything worked for me but *only* me.

If you find that mod_security is breaking some sites, the logfiles should give you an indication of what it's blocking - it does tend to be somewhat paranoid about code, and in some ways has raised awareness of "defensive programming/secure coding" amongst plenty of developers unaware of just how exploitable their code was.

For all of my sites, I first flicked mod_security off to ensure it all worked fine without any filtering, then flicked it on and kept checking the logfiles to see what it stamped down upon. Sometimes, the changes I had to make were fairly simple (wrong permissions, owner, etc), but in other cases required upgrading web-based applications to the newer one which was mod_sec compliant.[1]

[1] a few websites give workarounds showing how to disable and/or whitelist specific modsec functionality for their apps whilst they worked upon the next version that included more robust code which wouldn't trigger modsec false positives.

It's still a learning curve, ultimately. I wouldn't get too bogged down upon what the rulesets actually are (nor about trying to write them), it is safer to check that website code (drupal, etc) works with mod_sec and investigate the reasons why not. Usually the reasons are something of concern and DO needs to be addressed.

**inittux** · 2011-10-12, 10:34 AM

Yeah that's true, but I was more thinking as in that I won't have to look into any of the rules to make it work for my own ip. I could always unwhitelist my ip to test. But I might as well do it right while I'm learning :P I have the modsecurity standaard rules activated and I have the asl (from goroot) deactivated. When I have the ones from asl activated my whole website is not accessible anymore. So I have it deactivated for now going to figure out the standaard mod_security rules problem first. When I have the standard modsecurity rules activated my website works fine, but when I got to my backend and change for example a template setting I get an error permission denied. I check my logfile en gives me this error message:

[12/Oct/2011:14:46:25 +0200] TpWMIV5L6qcAAAYaFTEAAAAB 145.117.9.54 37936 94.75.234.167 443

--2c67c23e-B--

POST /administrator/index.php?option=com_templates&layout=edit&id=9 HTTP/1.1

Host: feedmebits.nl

Connection: keep-alive

Content-Length: 1363

Cache-Control: max-age=0

Origin: https://feedmebits.nl

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1

Content-Type: application/x-www-form-urlencoded

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Referer: https://feedmebits.nl/administrator/index.php?option=com_templates&view=style&layout=edit&id=9

Accept-Encoding: gzip,deflate,sdch

Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Cookie: f842f640e32e90667fe9655ea38a3626=cd709e8cc010452c9aa1497fedbca249; jpanesliders_panel-sliders=0; jpanesliders_template-sliders-9=0

--2c67c23e-C--

jform%5Btitle%5D=Joomlage0038-Transition+-+Default&jform%5Btemplate%5D=joomlage0038-transition&jform%5Bclient_id%5D=0&jform%5Bhome%5D=1&task=style.apply&10070264a26c5b6cc2f35b5afab22885=1&jform%5Bparams%5D%5Bgraphics_colorStyle%5D=style3&jform%5Bparams%5D%5Bfont_size%5D=12px&jform%5Bparams%5D%5Bsite_font_color%5D=%23000000&jform%5Bparams%5D%5Bleft_font_color%5D=%23FFFFFF&jform%5Bparams%5D%5Bsmall_headings_font_color%5D=%23000000&jform%5Bparams%5D%5Bcolor_link_content%5D=%23EDEDED&jform%5Bparams%5D%5Bcolor_link_content_hover%5D=%23333333&jform%5Bparams%5D%5Bleftside_link_color%5D=%23F7F7F7&jform%5Bparams%5D%5Bleftside_link_hover_color%5D=%23F0F0F0&jform%5Bparams%5D%5BlogoType%5D=text&jform%5Bparams%5D%5BlogoText%5D=My+Learning+Project&jform%5Bparams%5D%5BsloganText%5D=Doing+is+learning&jform%5Bparams%5D%5Bcopyright%5D=Copyright+%C2%A9+feedmebits.nl+2011&jform%5Bparams%5D%5Bnav_home_sw%5D=0&jform%5Bparams%5D%5Bnav_home%5D=&jform%5Bparams%5D%5Bnav_rssfeed_sw%5D=0&jform%5Bparams%5D%5Bnav_rssfeed%5D=&jform%5Bparams%5D%5Bnav_twitter_sw%5D=0&jform%5Bparams%5D%5Bnav_twitter%5D=https%3A%2F%2Ftwitter.com%2F%23%21%2Ffeedmebits&jform%5Bparams%5D%5Bnav_facebook_sw%5D=0&jform%5Bparams%5D%5Bnav_facebook%5D=&jform%5Bparams%5D%5Bnav_myspace_sw%5D=0&jform%5Bparams%5D%5Bnav_myspace%5D=&jform%5Bparams%5D%5Bnav_blogger_sw%5D=0&jform%5Bparams%5D%5Bnav_blogger%5D=

--2c67c23e-F--

HTTP/1.1 403 Forbidden

Content-Length: 289

Connection: close

Content-Type: text/html; charset=iso-8859-1

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][leftside_link_hover_color]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][l"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][logoType]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][l"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][logoText]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][l"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][sloganText]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][s"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][copyright]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_home_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_home]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_rssfeed_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_rssfeed]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_twitter_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_twitter]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_facebook_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_facebook]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_myspace_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_myspace]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_blogger_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_blogger]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Access denied with code 403 (phase 2). [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 100): 900030-Detects common XSS concatenation patterns 1/2"]

Action: Intercepted (phase 2)

Apache-Handler: php5-script

Stopwatch: 1318423585315934 61972 (800* 61480 -)

Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5; 200911012341; core ruleset/2.0.5; 200911012341.

Server: Apache/2.2.15 (CentOS)

--2c67c23e-Z--

**Dungeon-Dave** · 2011-10-13, 11:41 AM

Firstly.. don't suppose you have referrer-blocking on, have you?

Secondly, consider setting up a test site using Vhosting and having mod_security running on that one but off on your second. Then you can compare what differences they are between each when mod_sec trips and blocks content.

**inittux** · 2011-10-13, 11:46 AM

Quote:Firstly.. don't suppose you have referrer-blocking on, have you?

Secondly, consider setting up a test site using Vhosting and having mod_security running on that one but off on your second. Then you can compare what differences they are between each when mod_sec trips and blocks content.

Don't even know what is, but looked it up and no I don't have rewrite engine on

Good idea about making a test site, hadn't thought of that yet :P

**Dungeon-Dave** · (This post was last modified: 2011-10-13, 05:03 PM by hybrid.)

Quote:<blockquote data-ipsquote="" class="ipsQuote" data-ipsquote-contentcommentid="15218" data-ipsquote-username="Dungeon-Dave" data-cite="Dungeon-Dave" data-ipsquote-timestamp="1318506110" data-ipsquote-contentapp="forums" data-ipsquote-contenttype="forums" data-ipsquote-contentid="4150" data-ipsquote-contentclass="forums_Topic"><div>
Firstly.. don't suppose you have referrer-blocking on, have you?

Secondly, consider setting up a test site using Vhosting and having mod_security running on that one but off on your second. Then you can compare what differences they are between each when mod_sec trips and blocks content.

Don't even know what is, but looked it up and no I don't have rewrite engine on

Good idea about making a test site, hadn't thought of that yet [img]<___base_url___>//public/style_emoticons/default/tongue.png[/img].

</div></blockquote>

I was thinking more refcontrol or so - I have it installed and it's triggered mod_sec at times.

Login
Username/Email:
Password:	Lost Password?
	Remember me