From: Miles Skorpen <mi...@copress.org>Date: 09 June 2009 4:45:17 PM EDTTo: Daniel Bachhuber <dan...@copress.org>Subject: Fwd: [Liquid Web, Inc. support ID# 1482018] Re: [Liquid Web, Inc. support ID# 1482018] Re: [Liquid Web, Inc. support ID# 1482018] Re: [Liquid Web, Inc. support ID# 1482018] Re: mod_securityBegin forwarded message:To figure out what the rule ID being triggered was I ran the following
command:
tail /usr/local/apache/logs/modsec_audit.log
which returned: --97a7c73b-H-- Message: Access denied with code 500 (phase 2).
Pattern match
"(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)"
at ARGS:content. [file "/usr/local/apache/conf/modsec2.user.conf"] [line
"355"] [id "300016"] [rev "2"] [msg "Generic SQL injection protection"]
[severity "CRITICAL"] Action: Intercepted (phase 2) Stopwatch:
1233185129379248 482649 (109716* 122107 -) Producer: ModSecurity for
Apache/2.5.7 (http://www.modsecurity.org/). Server: Apache/2.0.63 (Unix)
mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4
FrontPage/5.0.2.2635 PHP/5.2.6
[id "300016"] is what I needed. I then had to create a .conf file at the
following location to be complaint with cpanel (not the directories past
"conf" did not previously exist):
/usr/local/apache/conf/userdata/std/thewhit/thewhitonline.com/<whatevernameyouwant>.conf
Inside this file, which I named "modsec2_300016_disable.conf" I placed the
following:
<LocationMatch "/">
SecRuleRemoveById 300016
</LocationMatch>
Now, I had to run a few cpanel scripts to make sure that it would accept the
custom vhost entry we made above and that the new entry would be persistent
through various apache reconfigurations/recompiles.
Check to make sure cpanel will accept the custom vhost:
/scripts/ensure_vhost_includes --user=thewhit
Save the httpd.conf configuration changes made by the above script so they are
persistent:
/usr/local/cpanel/bin/apache_conf_distiller --update
Then one last restart of apache just to make sure everything is working as
intended:
/etc/init.d/httpd restart
--
You received this message because you are a part of CoPress (http://www.copress.org/).
- To post a message to this group, send email to cop...@googlegroups.com
- To unsubscribe from this group, send an email to copress+u...@googlegroups.com
- For more options, visit this group at http://groups.google.com/group/copress
- Get connected on Twitter http://www.twitter.com/copress or Facebook http://www.facebook.com/copress
http://www.copress.org/