vakis - 2013-10-31

Hello,

I am new to mod_security so, ..I am facing an issue with it and Joomla, currently tested on Joomla 2.5.14
For this I use a testing dev server on lan:
3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686 GNU/Linux
PHP Version: 5.4.4-14+deb7u5

root@debian:/# apt-cache show libapache-mod-security | grep Version
Version: 2.6.6-6+deb7u1

I have copied and using only the rules from this location: /usr/share/modsecurity-crs/base_rules/

I am also using the modsecurity.conf-recommended as modsecurity.conf

The conf files are read with this order:

<IfModule security2_module="">
Include /etc/apache2/mod-security/modsecurity.conf
Include /etc/apache2/mod-security/modsecurity_crs_10_setup.conf
Include /etc/apache2/mod-security/activated_rules/*.conf
Include /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf
</IfModule>

So when I access Joomla backend (/administrator/) area I get blocked.
I was patient enough to do this step by step and keep all kinds of blocks from mod_security, then whitelist one by one when they were happening and retry.
Please see below:

----------------------------------------------

VISITING JOOMLA 2.5 ADMINISTRATOR:

Message: Rule b56a2270 [id "950901"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null).
Stopwatch: 1383185496895930 103396 (- - -)
Stopwatch2: 1383185496895930 103396; combined=98659, p1=391, p2=98151, p3=3, p4=77, p5=36, sr=118, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--59edbc1e-Z--

----------------------------------------------

SAVING ARTICLE IN JOOMLA 2.5

Message: Rule b58f5f98 [id "950119"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_40_generic_attacks.conf"][line "148"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). Pattern match "\W{4,}" at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data ">\x0d\x0a<"]
Action: Intercepted (phase 2)
Stopwatch: 1383186034572263 92718 (- - -)
Stopwatch2: 1383186034572263 92718; combined=85854, p1=347, p2=85394, p3=0, p4=0, p5=112, sr=84, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--897bab3c-Z--

Message: Rule b58c5e68 [id "950018"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_40_generic_attacks.conf"][line "81"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). Pattern match "\W{4,}" at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data ">\x0d\x0a<"]
Action: Intercepted (phase 2)
Stopwatch: 1383186322266527 89935 (- - -)
Stopwatch2: 1383186322266527 89935; combined=82597, p1=344, p2=82144, p3=0, p4=0, p5=108, sr=88, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--59989278-Z--

--1833ab0c-H--
Message: Access denied with code 403 (phase 2). Pattern match "\W{4,}" at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data ">\x0d\x0a<"]
Action: Intercepted (phase 2)
Stopwatch: 1383186487551827 90194 (- - -)
Stopwatch2: 1383186487551827 90194; combined=83474, p1=345, p2=83039, p3=0, p4=0, p5=89, sr=82, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--1833ab0c-Z--

--bd37956b-H--
Message: Access denied with code 403 (phase 2). Pattern match "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\\xc2\xb4\\xe2\x80\x99\\xe2\x80\x98\`\<\>].*){4,}" at ARGS_NAMES:jform[attribs][show_title]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "]"]
Action: Intercepted (phase 2)
Stopwatch: 1383187209077801 94820 (- - -)
Stopwatch2: 1383187209077801 94820; combined=86748, p1=462, p2=86181, p3=0, p4=0, p5=104, sr=127, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--bd37956b-Z--

Message: Rule b565d380 [id "981257"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "221"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:union\s?(?:all|distinct|[(!@]?)?\s?[([]?\s*?select)|(?:\w+\s+like\s+[\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\%)|(?:[\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'\xc2\xb4\xe2 ..." at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "\xc2\xa0components a"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
Action: Intercepted (phase 2)
Stopwatch: 1383187398986109 117118 (- - -)
Stopwatch2: 1383187398986109 117118; combined=110469, p1=348, p2=109980, p3=0, p4=0, p5=140, sr=84, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--2bf98729-Z--

--a2c78c6f-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:union\s?(?:all|distinct|[(!@]?)?\s?[([]?\s*?select)|(?:\w+\s+like\s+[\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\%)|(?:[\"'\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'\xc2\xb4\xe2 ..." at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "235"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "\xc2\xa0components a"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
Action: Intercepted (phase 2)
Stopwatch: 1383187502638540 112088 (- - -)
Stopwatch2: 1383187502638540 112088; combined=105295, p1=345, p2=104808, p3=0, p4=0, p5=141, sr=80, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--a2c78c6f-Z--

Message: Rule b5057ce0 [id "958102"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "257"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "

"]
Action: Intercepted (phase 2)
Stopwatch: 1383187593954505 223493 (- - -)
Stopwatch2: 1383187593954505 223493; combined=216707, p1=347, p2=216193, p3=0, p4=0, p5=166, sr=82, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--2a31706f-Z--

Message: Rule b5510e80 [id "958034"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "46"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "

"]
Action: Intercepted (phase 2)
Stopwatch: 1383187717476706 224347 (- - -)
Stopwatch2: 1383187717476706 224347; combined=217651, p1=342, p2=217165, p3=0, p4=0, p5=143, sr=83, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--b9cf6b56-Z--

Message: Rule b562faa8 [id "981243"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "257"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "

"]
Action: Intercepted (phase 2)
Stopwatch: 1383187793338454 222736 (- - -)
Stopwatch2: 1383187793338454 222736; combined=216014, p1=343, p2=215502, p3=0, p4=0, p5=168, sr=84, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--35261b09-Z--

--b899cb22-H--
Message: Access denied with code 403 (phase 2). Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "556"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "

"]
Action: Intercepted (phase 2)
Stopwatch: 1383187876919406 221326 (- - -)
Stopwatch2: 1383187876919406 221326; combined=214587, p1=350, p2=214092, p3=0, p4=0, p5=144, sr=83, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--b899cb22-Z--

--67811b66-H--
Message: Access denied with code 403 (phase 2). Pattern match "\b(background|dynsrc|href|lowsrc|src)\b\W*?=" at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "588"] [id "973304"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "href="]
Action: Intercepted (phase 2)
Stopwatch: 1383187985970082 222879 (- - -)
Stopwatch2: 1383187985970082 222879; combined=215868, p1=346, p2=215380, p3=0, p4=0, p5=141, sr=83, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--67811b66-Z--

--2d695e53-H--
Message: Access denied with code 403 (phase 2). Pattern match "\bstyle\b\W*?=" at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "614"] [id "973306"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "style="]
Action: Intercepted (phase 2)
Stopwatch: 1383188074454169 222903 (- - -)
Stopwatch2: 1383188074454169 222903; combined=216162, p1=345, p2=215651, p3=0, p4=0, p5=165, sr=82, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--2d695e53-Z--

Message: Rule b5601de0 [id "973332"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "759"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). Pattern match "(?i:[\"\'][ ](([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].?[\]].*?))=)" at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "761"] [id "973333"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "\x22 />

\xc2

Media Manager

The media manager component lets you upload and insert images into content throughout your site. Optionally, you can enable the flash uploader which will allow you to to upload multiple images. <a href="]
Action: Intercepted (phase 2)
Stopwatch: 1383188867929868 239904 (- - -)
Stopwatch2: 1383188867929868 239904; combined=233267, p1=336, p2=232764, p3=0, p4=0, p5=166, sr=81, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--9703d850-Z--

--42f5dd68-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:[ /+\t\"\'`]style[ /+\t]?=.?([:=]|(&[#()=]x?0((58)|(3A)|(61)|(3D));?)).?([(\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))" at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "727"] [id "973316"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data " style=\x22color: gray; border: 1px dashed gray;\x22 />

\xc2

Media Manager

The media manager component lets you upload and insert images into content throughout your site. Optionally, you can enable the flash uploader which will allow you to to upload multiple images. Help

<hr title=\x22Extensions Manager\x22 alt=\x22Extensions Manager\x22 class=\x22system-pagebreak\x22 s..."]
Action: Intercepted (phase 2)
Stopwatch: 1383189976083710 222560 (- - -)
Stopwatch2: 1383189976083710 222560; combined=215717, p1=345, p2=215229, p3=0, p4=0, p5=142, sr=81, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--42f5dd68-Z--

Message: Rule b56f5f20 [id "973326"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "747"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). Pattern match "(?i:[\"\'][ ](([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].?[\]].*?))=)" at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "761"] [id "973333"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "\x22 />

\xc2

Media Manager

The media manager component lets you upload and insert images into content throughout your site. Optionally, you can enable the flash uploader which will allow you to to upload multiple images. <a href="]
Action: Intercepted (phase 2)
Stopwatch: 1383190214360379 246441 (- - -)
Stopwatch2: 1383190214360379 246441; combined=239727, p1=346, p2=239212, p3=0, p4=0, p5=168, sr=83, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--20ccab10-Z--

--52b51c7e-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:[\"\'][ ](([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].?[\]].*?))=)" at ARGS:jform[articletext]. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "761"] [id "973333"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "\x22 />

\xc2

Media Manager

The media manager component lets you upload and insert images into content throughout your site. Optionally, you can enable the flash uploader which will allow you to to upload multiple images. <a href="]
Action: Intercepted (phase 2)
Stopwatch: 1383190325693597 241601 (- - -)
Stopwatch2: 1383190325693597 241601; combined=234856, p1=344, p2=234364, p3=0, p4=0, p5=147, sr=84, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--52b51c7e-Z--

HERE IT STOPPED THE 403

Apache-Error: [file "mod_suphp.c"] [line 59] [level 3] PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cgi/conf.d/ming.ini on line 1 in Unknown on line 0, referer: http://testing.this/administrator/index.php?option=com_content&view=article&layout=edit&id=1
Apache-Handler: x-httpd-suphp
Stopwatch: 1383190416040395 1087527 (- - -)
Stopwatch2: 1383190416040395 1087527; combined=237793, p1=347, p2=237264, p3=12, p4=125, p5=44, sr=84, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--1fe4747e-Z--

Message: Rule b55aab60 [id "973335"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "765"] - Execution error - PCRE limits exceeded (-8): (null).
Apache-Handler: x-httpd-suphp
Stopwatch: 1383190564501496 1125572 (- - -)
Stopwatch2: 1383190564501496 1125572; combined=242576, p1=334, p2=242046, p3=11, p4=144, p5=40, sr=83, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--3196e24f-Z--

Message: Rule b5626178 [id "973334"][file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "763"] - Execution error - PCRE limits exceeded (-8): (null).
Apache-Handler: x-httpd-suphp
Stopwatch: 1383190662910804 1118828 (- - -)
Stopwatch2: 1383190662910804 1118828; combined=235852, p1=343, p2=235316, p3=10, p4=142, p5=40, sr=83, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--e923c641-Z--

----------------------------------------------

SAVING GLOBAL CONFIGURATION IN JOOMLA 2.5

Message: Access denied with code 403 (phase 2). Operator GE matched 3 at TX:sqli_select_statement_count. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "108"] [id "981317"] [rev "2.2.5"] [msg "SQL SELECT Statement Anomaly Detection Alert"] [data "3"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Stopwatch: 1383191172161536 99804 (- - -)
Stopwatch2: 1383191172161536 99804; combined=92783, p1=349, p2=92380, p3=0, p4=0, p5=53, sr=83, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--e21ae76d-Z--

----------------------------------------------

VISITING GLOBAL-CHECKIN IN JOOMLA 2.5

Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): ASP/JSP source code leakage"]
Action: Intercepted (phase 4)
Stopwatch: 1383191375666716 954979 (- - -)
Stopwatch2: 1383191375666716 954979; combined=29472, p1=270, p2=28642, p3=11, p4=417, p5=131, sr=83, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--a2fc9e10-Z--

Message: Access denied with code 403 (phase 4). Match of "rx (?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" against "RESPONSE_BODY" required. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_50_outbound.conf"] [line "39"] [id "970903"] [rev "2.2.5"] [msg "ASP/JSP source code leakage"] [severity "ERROR"] [tag "LEAKAGE/SOURCE_CODE_ASP_JSP"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"]
Action: Intercepted (phase 4)
Stopwatch: 1383191539360091 912203 (- - -)
Stopwatch2: 1383191539360091 912203; combined=29321, p1=273, p2=28650, p3=9, p4=342, p5=46, sr=85, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
--b14dd66f-Z--

----------------------------------------------

So my modsecurity_crs_99_whitelist.conf ended up with these:

SecRuleRemoveById 950901
SecRuleRemoveById 950119
SecRuleRemoveById 950018
SecRuleRemoveById 960024
SecRuleRemoveById 981173
SecRuleRemoveById 981257
SecRuleRemoveById 981245
SecRuleRemoveById 958102
SecRuleRemoveById 958034
SecRuleRemoveById 981243
SecRuleRemoveById 973300
SecRuleRemoveById 973304
SecRuleRemoveById 973306
SecRuleRemoveById 973332
SecRuleRemoveById 973316
SecRuleRemoveById 973326
SecRuleRemoveById 973333
SecRuleRemoveById 973335
SecRuleRemoveById 973334
SecRuleRemoveById 981317
SecRuleRemoveById 981205
SecRuleRemoveById 970903

At this point there was no more blocking.
But I think removing rules like that is not so ideal except if there is no other solution. Meaning that I would like the rules to exist, but somehow/someway not block the website.

For this reason I tried to do the following:

Added in php.ini
pcre.backtrack_limit=100000
pcre.recursion_limit=100000

Then set the following in modsecurity.conf
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

..and commented out the first rule from the whitelist:

SecRuleRemoveById 950901

Retried and it felt as if I changed nothing although I will be seeing the line 'service apache2 restart' in my dreams from now on.

So ! I am sure there would be more if I was more patient than that, for example I haven't even tested WordPress or my own scripts (some backup scripts), but that was enough to make me quit this and ask for help.

I would like to know if there is a much more efficient way to stop it from blocking the website than using 'SecRuleRemoveById'. I mean I feel it would be useless to compeltely remove all those rules right ? Wrong ?

Anyway, as you can imagine I am more than some hours on it :) with joy, but I am not sure if everything is set right from my side in the first place.

Please let me know if I can provide more information.
I am looking forward to your help.
Thanks !

 
Last edit: vakis 2013-10-31