Disable Mod security for an account was easier in Mod_security v 1.x, you just had to add the following lines in the .htaccess file for that account’s public_html directory :
SecFilterEngine Off
SecFilterScanPost Off
This will no longer work as Mod_security 2.x was been started to use in newer WHM/cPanel versions. In this article, we are going to review such a case and its solution
Case
A user was trying to copy an article (which was including certain URLs) and paste it in their Online Discussion forums. The following error were shown when they were trying to submit the post :
When the content was Plain formatted (which means no type of formatting involved in it – no links embedded and such – just like plain text) they could submit it. Obviously, this is something with Apache and hence the error_log has to be checked :
root@server:~ [/home]#tail -f /usr/local/apache/logs/error_log | grep 1xxx.174.208.127
[Mon Jan 07 17:14:11 2013] [error] [client 1xx.174.208.127] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|” ?> ?<|” ?[a-z]+ ?<.*>|> ?”? ?(>|<)|< ?/?i?frame|\\%env)” at ARGS:quot;” style. [file “/usr/local/apache/conf/modsec_rules/10_asl_rules.conf”] [line “903”] [id “340147”] [rev “81”] [msg “Atomicorp.com – FREE UNSUPPORTED DELAYED FEED – WAF Rules: Generic XSS filter”] [data “3990”] [severity “CRITICAL”] [hostname “my_domain.com”] [uri “/ko/portal/apps/discussions/creatediscussionview.php”] [unique_id “WQyvlUPkwtoAADKsDMwAAAAv”]
[Mon Jan 07 17:14:11 2013] [error] [client 1xxx.174.208.127] File does not exist: /home/sysbc/public_html/my_domain.com/403.shtml, referer: http://my_domain.com/ko/portal/home.php?main=discussview
A pattern in the URL is triggering the Mod_security rule. In this case, client demanded disabling it for his account, otherwise, we wouldn’t have done it for security purposes.
Solution
Disable Mod security is the solution but remember for this account only. Let us take a look at the VirtualHost section of this domain :
<VirtualHost xx.xx.xx.xx:80>
ServerName my_domain.com
ServerAlias www.my_domain.com my_domain.com www
DocumentRoot /home/sysbc/public_html/mdom
ServerAdmin webmaster@my_domain.com
UseCanonicalName Off
CustomLog /usr/local/apache/domlogs/my_domain.com combined
CustomLog /usr/local/apache/domlogs/my_domain.com-bytes_log “%{%s}t %I .\n%{%s}t %O .”
## User sysprobc # Needed for Cpanel::ApacheConf
<IfModule mod_suphp.c>
suPHP_UserGroup ysb ysb
</IfModule>
<IfModule concurrent_php.c>
php4_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp”
php5_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/local/lib/php:/tmp”
</IfModule>
<IfModule !concurrent_php.c>
<IfModule mod_php4.c>
php_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp”
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/local/lib/php:/tmp”
</IfModule>
<IfModule sapi_apache2.c>
php_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp”
</IfModule>
</IfModule>
<IfModule !mod_disable_suexec.c>
<IfModule !mod_ruid2.c>
SuexecUserGroup sysbc ysbc
</IfModule>
</IfModule>
<IfModule mod_ruid2.c>
RUidGid sysprobc sysprobc
</IfModule>
ScriptAlias /cgi-bin/ /home/ysbc/public_html/mdom/cgi-bin/# To customize this VirtualHost use an include file at the following location
# Include “/usr/local/apache/conf/userdata/std/2/sysbc/my_domain.com/*.conf”
Take a look at the last 2 lines :
# To customize this VirtualHost use an include file at the following location
# Include “/usr/local/apache/conf/userdata/std/2/sysbc/my_domain.com/*.conf”
By default,the location /usr/local/apache/conf/userdata/std/2 exists. You will have to create the remaining path ysbc/my_domain.com
# mkdir -p /usr/local/apache/conf/userdata/std/2/ysbc/my_domain.com
Create a file vhost.conf and add the following lines :
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
/scripts/ensure_vhost_includes --user= <cPanel username>
Here it is
# /scripts/ensure_vhost_includes –user=sysbc
Alternatives
The above explained method entirely disable mod security for a particular account, which is not recommended and safe. However, there are other methods to do the trick.
root@server:~ [/home]#tail -f /usr/local/apache/logs/error_log | grep xx.xx.xx.xx
[Mon Jan 07 17:14:11 2013] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|” ?> ?<|” ?[a-z]+ ?<.*>|> ?”? ?(>|<)|< ?/?i?frame|\\%env)” at ARGS:quot;” style. [file “/usr/local/apache/conf/modsec_rules/10_asl_rules.conf”] [line “903”] [id “340147“] [rev “81”] [msg “Atomicorp.com – FREE UNSUPPORTED DELAYED FEED – WAF Rules: Generic XSS filter”] [data “3990”] [severity “CRITICAL”] [hostname “my_domain.com”] [uri “/ko/portal/apps/discussions/creatediscussionview.php”] [unique_id “WQyvlUPkwtoAADKsDMwAAAAv”]
[Mon Jan 07 17:14:11 2013] [error] [client xx.xx.xx.xx] File does not exist: /home/sysbc/public_html/mdom/403.shtml, referer: http://my_domain.com/ko/portal/home.php?main=discussview
You can disable the rule only by adding the rule in .htaccess
<LocationMatch “.*”>
SecRuleRemoveById 340147
</LocationMatch>
