• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue ModSecurity: returns default Apache test page - not 403

J

John S.

New Pleskian
Hello All!

I have installed ModSecurity with basic atomic rules. The module is running, the log file contains error messages etc.

The problem is that testing url mydomain.com/?abc=../../ is captured by ModSecurity, but returns the default Apache test page instead of 403 error:

Apache 2 Test Page
powered by CentOS

The ModSecurity log file:

Code: 
--eaa43667-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 4961
Connection: close
Content-Type: text/html

--eaa43667-H--
Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "39"] [id "33340006"] [rev "68"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Generic Path Recursion denied in URI/ARGS"] [data "../../,ARGS:abc"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "\\.\\./\\.\\./" at ARGS:abc.
Action: Intercepted (phase 2)
Stopwatch: 1541741622417990 27638 (- - -)
Stopwatch2: 1541741622417990 27638; combined=161, p1=11, p2=147, p3=0, p4=0, p5=2, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); 0.
Server: Apache
Engine-Mode: "ENABLED"

As you can see, it should return Access denied 403, but instead goes to the default Apache test page of the domain. I can manually redirect the default page to 403, but cannot understand why ModSecurity doesn't return 403 code itself.

Other tests like mydomain.com/index.php?foo=Domain Name Registration and Web Hosting | Domain.com return Access denied 403 as it should be. The problem is only with mydomain.com/?abc=../../

Any ideas what is happening here?

Thanks!!!
 
I have fixed the issue by commenting everything in /etc/httpd/conf.d/welcome.conf:

Code: 
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

Now it returns 403 Access forbidden.
 
You must log in or register to reply here.

Similar threads

R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
467
Linulex
Linulex
S
Resolved FORBIDDEN ACCESS
Replies
2
Views
2K
soliu
S
U
Issue Error message ID 19494#0, 5467#0 and ModSecurity
Replies
3
Views
2K
Peter Debik
P
A
Issue ModSecurity Rule in custom directives ignored
Replies
0
Views
1K
Abed
A
A
Question ModSecurity: Input filter: Failed writing 8192 bytes to temporary file
Replies
0
Views
800
AdelM
A
Back
Top