• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue ModSecurity: returns default Apache test page - not 403

J

John S.

New Pleskian
Hello All!

I have installed ModSecurity with basic atomic rules. The module is running, the log file contains error messages etc.

The problem is that testing url mydomain.com/?abc=../../ is captured by ModSecurity, but returns the default Apache test page instead of 403 error:

Apache 2 Test Page
powered by CentOS

The ModSecurity log file:

Code: 
--eaa43667-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 4961
Connection: close
Content-Type: text/html

--eaa43667-H--
Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "39"] [id "33340006"] [rev "68"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Generic Path Recursion denied in URI/ARGS"] [data "../../,ARGS:abc"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "\\.\\./\\.\\./" at ARGS:abc.
Action: Intercepted (phase 2)
Stopwatch: 1541741622417990 27638 (- - -)
Stopwatch2: 1541741622417990 27638; combined=161, p1=11, p2=147, p3=0, p4=0, p5=2, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); 0.
Server: Apache
Engine-Mode: "ENABLED"

As you can see, it should return Access denied 403, but instead goes to the default Apache test page of the domain. I can manually redirect the default page to 403, but cannot understand why ModSecurity doesn't return 403 code itself.

Other tests like mydomain.com/index.php?foo=Domain Name Registration and Web Hosting | Domain.com return Access denied 403 as it should be. The problem is only with mydomain.com/?abc=../../

Any ideas what is happening here?

Thanks!!!
 
I have fixed the issue by commenting everything in /etc/httpd/conf.d/welcome.conf:

Code: 
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

Now it returns 403 Access forbidden.
 
You must log in or register to reply here.

Similar threads

S
Issue Need Help Whitelisting GTM Noscript in Comodo WAF Rule 214540 on Plesk
Replies
0
Views
136
SquanchIt
S
K
Question modsecurity
Replies
2
Views
945
Knutsford
K
L
Resolved ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/"
Replies
7
Views
8K
loman
L
F
Issue SQLmap attack detected (ID: 218500) on blank page
Replies
5
Views
2K
abdulsemiu
A
R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
2K
Linulex
Linulex
Back
Top