• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Issue ModSecurity: returns default Apache test page - not 403

J

John S.

New Pleskian
Hello All!

I have installed ModSecurity with basic atomic rules. The module is running, the log file contains error messages etc.

The problem is that testing url mydomain.com/?abc=../../ is captured by ModSecurity, but returns the default Apache test page instead of 403 error:

Apache 2 Test Page
powered by CentOS

The ModSecurity log file:

Code: 
--eaa43667-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Content-Length: 4961
Connection: close
Content-Type: text/html

--eaa43667-H--
Message: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "39"] [id "33340006"] [rev "68"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Generic Path Recursion denied in URI/ARGS"] [data "../../,ARGS:abc"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "\\.\\./\\.\\./" at ARGS:abc.
Action: Intercepted (phase 2)
Stopwatch: 1541741622417990 27638 (- - -)
Stopwatch2: 1541741622417990 27638; combined=161, p1=11, p2=147, p3=0, p4=0, p5=2, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); 0.
Server: Apache
Engine-Mode: "ENABLED"

As you can see, it should return Access denied 403, but instead goes to the default Apache test page of the domain. I can manually redirect the default page to 403, but cannot understand why ModSecurity doesn't return 403 code itself.

Other tests like mydomain.com/index.php?foo=Domain Name Registration and Web Hosting | Domain.com return Access denied 403 as it should be. The problem is only with mydomain.com/?abc=../../

Any ideas what is happening here?

Thanks!!!
 
I have fixed the issue by commenting everything in /etc/httpd/conf.d/welcome.conf:

Code: 
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

Now it returns 403 Access forbidden.
 
You must log in or register to reply here.

Similar threads

S
Issue Need Help Whitelisting GTM Noscript in Comodo WAF Rule 214540 on Plesk
Replies
1
Views
380
alvarezcruz
alvarezcruz
K
Question modsecurity
Replies
2
Views
1K
Knutsford
K
L
Resolved ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/"
Replies
7
Views
9K
loman
L
F
Issue SQLmap attack detected (ID: 218500) on blank page
Replies
5
Views
2K
abdulsemiu
A
R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
2K
Linulex
Linulex
Back
Top