• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue WAF does not switch off designated security rules

F

frg62

Basic Pleskian
Hello,

Server config :
- ‪Debian 7.11‬
- Plesk 12.5.30 Update #68
- MySQL 5.6.37-1debian7
- WAF using Atomic Basic ModSecurity, with daily updates, and Tradeoff configuration
Completely up-to-date at this time (Plesk and apt-get upgrade)

(If you need more info, just ask.)

One one of the websites, it is impossible to update a WP page,as it gives the following error:
ModSecurity: Warning. Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_582ad5afda4b6][12][field_582ad63fda4b9]" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "386"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] [hostname "www.equipespopulaires.be"] [uri "/wp-admin/admin.php"] [unique_id "WXWoXF73tHEAABlwFpEAAAAJ"]

Seeing that message, I switched off rule 340465, by inserting it in the "Security rule IDs" panel of the "Switch off security rules" section.

But that changes nothing.

The only way to modify the page, is to temporary disable the WAF, or to put it in detection mode, where it then continues to report the problem...

Anyone as any idea on what is going wrong?

Regards,
Francois
 
Hello Igor,

Thanks a lot, this is exactly my problem.
But I could only solve it, by disabling the WAF on the concerned website.

The code seems to be the source of the problem, I have warned the website owner (I have no direct contact with his developers).
 
frg62 said:
Seeing that message, I switched off rule 340465, by inserting it in the "Security rule IDs" panel of the "Switch off security rules" section.
Click to expand...
Did you tried to switch off rule id 340465 on the server level and not per domain in Tools & Settings>> Security >> Web Application Firewall (ModSecurity) >> Switch off security rules ?
 
It does not seem to work any better... or I did not configure it correctly.

What I did:
I created in the conf directory, a file named modsecurity_crs_10_custom.conf, and I put the following line in it:
SecRule REQUEST_FILENAME "@beginswith /svn" "id:123,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340465"

Yet no-go.

I also tried:
SecRule REQUEST_FILENAME "@beginswith /svn" "id:340465,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340465"

No luck either.

Is my syntax correct?
 
This issue still happens on Plesk Obsidian Version 18.0.61 Update #5.
I did not check other talk-threads and so on, but I don´t think this critical issues has been taken serious by Plesk.
 
You must log in or register to reply here.

Similar threads

F
Resolved Web Application Firewall Security Rules Not Deactivating
Replies
2
Views
2K
FizzyDev
F
Winnstorm
Resolved Issue installing modsecurity
Replies
6
Views
5K
ggorg
G
Azurel
Issue Is it possible to add query-string in error_log (ModSecurity)?
Replies
1
Views
1K
IgorG
IgorG
Azurel
Issue Extension ModSecurity issues with matomo?
Replies
3
Views
3K
Azurel
Azurel
J
Issue ModSecurity: returns default Apache test page - not 403
Replies
1
Views
4K
John S.
J
Back
Top