• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue ModSecurity: returns default Apache test page - not 403

J

John S.

New Pleskian
Hello All!

I have installed ModSecurity with basic atomic rules. The module is running, the log file contains error messages etc.

The problem is that testing url mydomain.com/?abc=../../ is captured by ModSecurity, but returns the default Apache test page instead of 403 error:

Apache 2 Test Page
powered by CentOS

The ModSecurity log file:

Code: 
--eaa43667-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 4961
Connection: close
Content-Type: text/html

--eaa43667-H--
Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "39"] [id "33340006"] [rev "68"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Generic Path Recursion denied in URI/ARGS"] [data "../../,ARGS:abc"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "\\.\\./\\.\\./" at ARGS:abc.
Action: Intercepted (phase 2)
Stopwatch: 1541741622417990 27638 (- - -)
Stopwatch2: 1541741622417990 27638; combined=161, p1=11, p2=147, p3=0, p4=0, p5=2, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); 0.
Server: Apache
Engine-Mode: "ENABLED"

As you can see, it should return Access denied 403, but instead goes to the default Apache test page of the domain. I can manually redirect the default page to 403, but cannot understand why ModSecurity doesn't return 403 code itself.

Other tests like mydomain.com/index.php?foo=Domain Name Registration and Web Hosting | Domain.com return Access denied 403 as it should be. The problem is only with mydomain.com/?abc=../../

Any ideas what is happening here?

Thanks!!!
 
I have fixed the issue by commenting everything in /etc/httpd/conf.d/welcome.conf:

Code: 
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

Now it returns 403 Access forbidden.
 
You must log in or register to reply here.

Similar threads

K
Question modsecurity
Replies
2
Views
494
Knutsford
K
L
Resolved ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/"
Replies
7
Views
369
loman
L
F
Issue SQLmap attack detected (ID: 218500) on blank page
Replies
3
Views
698
Bitpalast
Bitpalast
R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
1K
Linulex
Linulex
S
Resolved FORBIDDEN ACCESS
Replies
2
Views
2K
soliu
S
Back
Top