[Fix custom rules / Avoid cheap webhosting] Custom server's mod_security rules are triggered when doing repeated forms saves with many fields

More
5 years 8 months ago - 5 years 8 months ago #76036 by bendeb
Hello,

I have this issue on my server when I configure and save many fields one after one.
The server (protected by imunify360 et hosted by EX2 hosting) denied my IP because it consider there is an injection attack.
Each time I configure and save many fields (about 10 or 15 fields in few time), the server protection denied me.

I talk it to my hosting, and it send me this error message :
Code:
[Sat Mar 16 01:15:28 2019] [error] [client XXX.XX.XXX.XXX] ModSecurity: Access denied with code 200, [Rule: 'ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:optionsQuery|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/' '<\?(?!xml\s)'] [id "77211220"] [rev "3"] [msg "IM360 WAF: PHP Injection Attack||MVN:<?php $f = & $item->fields; if ( !isset($f['fieldname01']) ) return array('fieldname01 field not found'); $vals = array(); foreach($f['fieldname01']->postdata as $i => $v) { $vals[$i] = 'auto : ' . $v; } return $vals;||MV:<?php $f = & $item->fields; if ( !isset($f['fieldname01']) ) return array('fieldname01 field not found'); $vals = array(); foreach($f['fieldname01']->postdata as $i => $v) { $vals[$i] = 'auto : ' . $v; } return $vals;||T:LITESPEED||PC:1341"] [severity "CRITICAL"] [tag "CWAF"] 2019-03-16 01:15:28.688518 [NOTICE] [XXX.XX.XXX.XXX:54452] Content len: 8658, Request line: 'POST /administrator/index.php HTTP/1.1' 2019-03-16 01:15:28.688522 [INFO] [XXX.XX.XXX.XXX:54452] Cookie len: 1545, fc_uid=e71b13d9f8e03235db7ecc2de0dd08a9; fcfavs=%7B%7D; tabset_attrs_1fctabber=0; tabset_attrs_0fctabber=0; tabset_attrs_2fctabber=3; field_specific_props_tabsetfctabber=1; fc_columnchooser=%7B%22vhash%22%3A%22d2ce5c1882cea09a61e9127fb541cd8b%22%2C%22adminListTableFCcats%22%3A%222%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%22%2C%22adminListTableFCfields%22%3A%222%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%22%2C%22adminListTableFCitems%22%3A%220%2C2%2C3%2C4%2C6%2C7%2C8%22%2C%22adminListTableFCtypes%22%3A%222%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%22%7D; fc_screen_resolution=1920x956; fc-filters-box-disp=1; fc_columnchooser=%7B%22vhash%22%3A%22d2ce5c1882cea09a61e9127fb541cd8b%22%2C%22adminListTableFCcategory%22%3A%220%22%2C%22adminListTableFCfilesimage365%22%3A%222%2C4%22%7D; phpbb3_51gss_k=91e3ee1eb631a342; phpbb3_51gss_u=2; phpbb3_51gss_sid=26e44b1cce967c7d2b0455eec60d8cea; phpbb3_foj9v_k=e9e989edc7440ba4; phpbb3_foj9v_u=2; phpbb3_foj9v_sid=9c0d69b2c05bf5e85e0e562a7d8195ba; joomla_remember_me_bfebc4627348261a16c706a9452befda=qVnRht07U1YrVtjo.0zDrZIPPpmYC8CMkCKYT; joomla_remember_me_49d9a81e9344bfb8357e4d19d542fd4b=0Q24aZZ12prgmu9v.bgarDAVDXSRk0Q2rspxI; phpbb3__u=54; phpbb3__k=; phpbb3__sid=a9d41ae8cb74e3d27f5d116c31f2ab46; joomla_remember_me_832a2989a8d16ee04aa18e088e1b350c=gXVYgIQzFGTyOSCQ.qfceopaHMRcunLmNiuXa; 4571ddb59bc1532cd0e0b20978e4cd40=h5028p8og5v3bbfc9bj7jk9573; joomla_user_state=logged_in; e28a24952043f75bda3dae92a68c1e24=74jr4hh4tp4ckju2r1v5ekmq51; fc_uid=832a2989a8d16ee04aa18e088e1b350c; jpanesliders_theme-sliders-501979=0 2019-03-16 01:15:43.356890 [NOTICE] [XXX.XX.XXX.XXX:54473] mod_security rule [Id '77211220'] triggered!

Then, he disable the protection rule for I can work comfortably, and I report this error logs to you.
Is it a bug ?
This problem occur on FC 3.2.1.15 (no tested on later version).

Thank you in advance.

Flexicontent 4.1.0b1
Joomla 3.9.18
Last edit: 5 years 8 months ago by ggppdk.

Please Log in or Create an account to join the conversation.

More
5 years 8 months ago #76038 by ggppdk
Hello

it is not a bug

these are custom mod_security rules in your web-server

that are just too aggressive
anyone can have any rules

ask your web host to resolve this , explaining that it is legitimate behavior
or simply change web-host or "upgrade"

cutting down on server usage this way is a cheap way to go, it sounds like 1 euro per month web-host


-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
5 years 8 months ago #76044 by bendeb
OK thank you, it reassures me :)
My host disable the protection rule so it's not a problem now, but I just would know if this was normal or not.

Thank you again ggppdk ;)

Flexicontent 4.1.0b1
Joomla 3.9.18

Please Log in or Create an account to join the conversation.

Moderators: vistamediajoomlacornerggppdk
Time to create page: 0.366 seconds
Save
Cookies user preferences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Essential
These cookies are needed to make the website work correctly. You can not disable them.
Display
Accept
Analytics
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics
Accept
Decline