Issue
-
The web server responds with error 403 when trying to save changes in the CMS interface.
-
The record in console.log shows that access is blocked based on the OWASP rule:
INFO [2021-12-20 09:24:49,073] defence360agent.internals.the_sink: SensorIncident({'method': 'INCIDENT', 'plugin_id': 'modsec', 'attackers_ip': '192.168.246.90', 'rule': '941180', 'access_denied': True, 'severity': 2, 'tag': ['application-multi', 'language-multi', 'platform-multi', 'attack-xss', 'OWASP_CRS/WEB_ATTACK/XSS', 'WASCTC/WASC-8', 'WASCTC/WASC-22', 'OWASP_TOP_10/A3', 'OWASP_AppSensor/IE1', 'CAPEC-242'], 'status_code': '403', ...
-
The issue does not occur when ModSecurity is disabled.
-
The OWASP3 ruleset is disabled in WHM > ModSecurity vendors.
-
The OWASP configuration files are included in webserver configuration:
# apachectl -t -D DUMP_INCLUDES | grep OWASP
...
(43) /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-901-INITIALIZATION.conf
(44) /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
(45) /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-910-IP-REPUTATION.conf
...
Environment
- Imunify360
- cPanel
- Litespeed
- OWASP
Solution
-
Log into WHM.
-
Enable OWASP ruleset in ModSecurity Vendors.
-
Disable OWASP ruleset back:
-
Make sure OWASP ruleset configs are not active:
# apachectl -t -D DUMP_INCLUDES | grep OWASP
#
If rules are still active or the issue is reoccurring, contact cPanel support so they will proceed with the root cause investigation.
Cause
Disabling OWASP ruleset failed.
Comments
0 comments
Please sign in to leave a comment.