• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Issue ModSecurity: returns default Apache test page - not 403

J

John S.

New Pleskian
Hello All!

I have installed ModSecurity with basic atomic rules. The module is running, the log file contains error messages etc.

The problem is that testing url mydomain.com/?abc=../../ is captured by ModSecurity, but returns the default Apache test page instead of 403 error:

Apache 2 Test Page
powered by CentOS

The ModSecurity log file:

Code: 
--eaa43667-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 4961
Connection: close
Content-Type: text/html

--eaa43667-H--
Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "39"] [id "33340006"] [rev "68"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Generic Path Recursion denied in URI/ARGS"] [data "../../,ARGS:abc"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "\\.\\./\\.\\./" at ARGS:abc.
Action: Intercepted (phase 2)
Stopwatch: 1541741622417990 27638 (- - -)
Stopwatch2: 1541741622417990 27638; combined=161, p1=11, p2=147, p3=0, p4=0, p5=2, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); 0.
Server: Apache
Engine-Mode: "ENABLED"

As you can see, it should return Access denied 403, but instead goes to the default Apache test page of the domain. I can manually redirect the default page to 403, but cannot understand why ModSecurity doesn't return 403 code itself.

Other tests like mydomain.com/index.php?foo=Domain Name Registration and Web Hosting | Domain.com return Access denied 403 as it should be. The problem is only with mydomain.com/?abc=../../

Any ideas what is happening here?

Thanks!!!
 
I have fixed the issue by commenting everything in /etc/httpd/conf.d/welcome.conf:

Code: 
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

Now it returns 403 Access forbidden.
 
You must log in or register to reply here.

Similar threads

R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
559
Linulex
Linulex
S
Resolved FORBIDDEN ACCESS
Replies
2
Views
2K
soliu
S
U
Issue Error message ID 19494#0, 5467#0 and ModSecurity
Replies
3
Views
2K
Peter Debik
P
A
Issue ModSecurity Rule in custom directives ignored
Replies
0
Views
1K
Abed
A
A
Question ModSecurity: Input filter: Failed writing 8192 bytes to temporary file
Replies
0
Views
820
AdelM
A
Back
Top