In that case it seemed to be ModSecurity that is exposing the problem. I expect MRBS is doing something that ModSecurity doesn't like, but I don't know what it is. If it is ModSecurity in your case then I don't know whether it offers any logging to give us a clue as to what the problem is?
The symptom in the other case was that the response to the Ajax request on the Search page was returning the HTML for the site's home page instead of JSON data containing an array of search results. Could you check the Ajax response to see what's being sent, or else let me know the link to your site (in a PM if you like) so that I can check.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, it is mod security causing it. Here is the rule that is triggering the issue:
Rule 981257
Description:
Access denied with redirection to http://www.test_site.com/ using status 302 (phase 2).
Justification:
Pattern match "(?i:(?:,.?)\da-f\"'][\"')|(?:\Wselect.+\W?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s?\(\s?space\s*?\())" at REQUEST_COOKIES:SpryMedia_DataTables_users_table_edit_users.php.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
GET /book/web/search.php?search_str=fleetwood&day=28&month=2&year=2015&area=1&room=9&datatable=1&ajax=1&_=1425170657155
Action Description:
Access denied with redirection to http://test_site.com/ using status 302 (phase 2).
Justification:
Pattern match "(?i:(?:union\s?(?:all|distinct|[(!@]?)?\s?[([]?\s?select\s+)|(?:\w+\s+like\s+[\"'])|(?:like\\s*?[\"']\%)|(?:[\"']\\s*?like\\W*?[\"'\d])|(?:[\"'`]\s?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s?\w+\s? ..." at REQUEST_COOKIES:SpryMedia_DataTables_search_results_search.php.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Whitelisting the following mod_sec rules for the individual domain does in fact solve the problem:
981245
981257
981246
981243
All of these rules were triggered. Whitelisting one means the next one down will get triggered. only whitleisting all of these corrects the problem. Also it should be noted this is a cPanel server.
Last edit: Anonymous 2015-03-01
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank, that's very useful. In your first example (edit_users.php) it looks like it must be the 'create' in the cookie that is causing the problem. I'll get on to the DataTables people and see if they have a solution (which may be upgrading to the latest version of DataTables which we need to do anyway).
One thing that's slightly puzzling me though is that when I put the pattern (eg the one in the edit_users example) into the RegEx tester https://regex101.com/ the pattern seems to be invalid.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm hopeful that upgrading to the latest release of DataTables should fix this problem as it doesn't seem to use the same cookie mechanism. I'm busy working on the upgrade at the moment.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, the latest version of DataTables uses localStorage rather than cookies so the problem should go away. I'll let you know once I've completed the upgrade.
We've just had a similar problem - see https://sourceforge.net/p/mrbs/bugs/324/
In that case it seemed to be ModSecurity that is exposing the problem. I expect MRBS is doing something that ModSecurity doesn't like, but I don't know what it is. If it is ModSecurity in your case then I don't know whether it offers any logging to give us a clue as to what the problem is?
The symptom in the other case was that the response to the Ajax request on the Search page was returning the HTML for the site's home page instead of JSON data containing an array of search results. Could you check the Ajax response to see what's being sent, or else let me know the link to your site (in a PM if you like) so that I can check.
View and moderate all "support-requests Discussion" comments posted by this user
Mark all as spam, and block user from posting to "DO NOT USE - Support Requests"
Yes, it is mod security causing it. Here is the rule that is triggering the issue:
Rule 981257
Description:
Access denied with redirection to http://www.test_site.com/ using status 302 (phase 2).
Justification:
Pattern match "(?i:(?:,.?)\da-f\"'
][\"')|(?:\Wselect.+\W?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s?\(\s?space\s*?\())" at REQUEST_COOKIES:SpryMedia_DataTables_users_table_edit_users.php.View and moderate all "support-requests Discussion" comments posted by this user
Mark all as spam, and block user from posting to "DO NOT USE - Support Requests"
And this too:
GET /book/web/search.php?search_str=fleetwood&day=28&month=2&year=2015&area=1&room=9&datatable=1&ajax=1&_=1425170657155
Action Description:
Access denied with redirection to http://test_site.com/ using status 302 (phase 2).
Justification:
Pattern match "(?i:(?:union\s?(?:all|distinct|[(!@]?)?\s?[([]?\s?select\s+)|(?:\w+\s+like\s+[\"'
])|(?:like\\s*?[\"']\%)|(?:[\"']\\s*?like\\W*?[\"'\d])|(?:[\"'`]\s?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s?\w+\s? ..." at REQUEST_COOKIES:SpryMedia_DataTables_search_results_search.php.View and moderate all "support-requests Discussion" comments posted by this user
Mark all as spam, and block user from posting to "DO NOT USE - Support Requests"
Whitelisting the following mod_sec rules for the individual domain does in fact solve the problem:
981245
981257
981246
981243
All of these rules were triggered. Whitelisting one means the next one down will get triggered. only whitleisting all of these corrects the problem. Also it should be noted this is a cPanel server.
Last edit: Anonymous 2015-03-01
Thank, that's very useful. In your first example (edit_users.php) it looks like it must be the 'create' in the cookie that is causing the problem. I'll get on to the DataTables people and see if they have a solution (which may be upgrading to the latest version of DataTables which we need to do anyway).
One thing that's slightly puzzling me though is that when I put the pattern (eg the one in the edit_users example) into the RegEx tester https://regex101.com/ the pattern seems to be invalid.
I'm hopeful that upgrading to the latest release of DataTables should fix this problem as it doesn't seem to use the same cookie mechanism. I'm busy working on the upgrade at the moment.
Yes, the latest version of DataTables uses localStorage rather than cookies so the problem should go away. I'll let you know once I've completed the upgrade.
There is also this: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/35 which suggests that in more recent versions of the CRS the inspection of REQUEST_COOKIES variables has been removed to avoid false positives.
Latest version of DataTables now integrated into the code in changeset 67eb00ca3b79. It will appear in the next MRBS release.