• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue WAF does not switch off designated security rules

frg62

Basic Pleskian
Hello,

Server config :
- ‪Debian 7.11‬
- Plesk 12.5.30 Update #68
- MySQL 5.6.37-1debian7
- WAF using Atomic Basic ModSecurity, with daily updates, and Tradeoff configuration
Completely up-to-date at this time (Plesk and apt-get upgrade)

(If you need more info, just ask.)

One one of the websites, it is impossible to update a WP page,as it gives the following error:
ModSecurity: Warning. Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_582ad5afda4b6][12][field_582ad63fda4b9]" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "386"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] [hostname "www.equipespopulaires.be"] [uri "/wp-admin/admin.php"] [unique_id "WXWoXF73tHEAABlwFpEAAAAJ"]

Seeing that message, I switched off rule 340465, by inserting it in the "Security rule IDs" panel of the "Switch off security rules" section.

But that changes nothing.

The only way to modify the page, is to temporary disable the WAF, or to put it in detection mode, where it then continues to report the problem...

Anyone as any idea on what is going wrong?

Regards,
Francois
 
Hello Igor,

Thanks a lot, this is exactly my problem.
But I could only solve it, by disabling the WAF on the concerned website.

The code seems to be the source of the problem, I have warned the website owner (I have no direct contact with his developers).
 
Seeing that message, I switched off rule 340465, by inserting it in the "Security rule IDs" panel of the "Switch off security rules" section.
Did you tried to switch off rule id 340465 on the server level and not per domain in Tools & Settings>> Security >> Web Application Firewall (ModSecurity) >> Switch off security rules ?
 
It does not seem to work any better... or I did not configure it correctly.

What I did:
I created in the conf directory, a file named modsecurity_crs_10_custom.conf, and I put the following line in it:
SecRule REQUEST_FILENAME "@beginswith /svn" "id:123,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340465"

Yet no-go.

I also tried:
SecRule REQUEST_FILENAME "@beginswith /svn" "id:340465,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340465"

No luck either.

Is my syntax correct?
 
This issue still happens on Plesk Obsidian Version 18.0.61 Update #5.
I did not check other talk-threads and so on, but I don´t think this critical issues has been taken serious by Plesk.
 
Back
Top