Modsecurity Issues

2 posts by 2 authors in: Forums > CMS Builder
Last Post: June 10, 2013 (RSS)

Archived
Reply
Reply

By Perchpole - June 10, 2013

Hello, All -

I'm starting to have major issues with one of my regular hosts - UK2.net. The company appear to have adopted a new and rather over-zealous approach to server security with the result that almost every use of CMSB triggers a Modsecurity warning. Today, whilst editing a fairly simply CMSB set-up, the alarms sounded again. The sheilds went up and I was locked out of the site for over 4 hours. The tech-support guys answered:

Hello,

Thank you for your reply. In order to fix the issue you are having we will need more information on what programs and scripts you were running at the time of the block being placed?

Below id a link to the information we have on the rule being tripped, please read it as it will better help you to help us identify the issue: http://atomicorp.com/wiki/index.php/WAF_390149

The link above leads to a page which gives some interesting info. Clearly they believe the use of CMSB is tripping some kind of security rule.

Obviously I do not know what to say in response. All I do know is that these repeated interuptions of service are becomming intolerable. What do I say to allay their concerns?

NB: For the record, no it would not be easy to "change hosts" as I have about 20 sites with this company.

Perchpole

Archived
Reply
Reply

By Dave - June 10, 2013

Hi Perch,

I'd reply with this:

The administrative menu of our CMS lets us enter both raw PHP and MySQL code. This is probably what's generating the false positives.

There's an .htaccess in the cms folder that already tries to disable mod_security but it looks like .htaccess files are being ignored on our server. Here's the content of the .htaccess:

# disable mod_security (some of the admin menus allow you to define SQL which mod_security detects and then denied access to)
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Can you give me instructions on disabling mod_security on a per-directory or per-host basis, or enable .htaccess files? Or I can provide you with a list of hostnames and directories, but I'd rather not have to email support each time we setup a new host.

Let me know what's easiest, thanks.

And include the url of one your /cmsAdmin/ folders so they can take a look.

Hope that helps! Let me know what they say, thanks!

Dave Edis - Senior Developer
interactivetools.com