Join Log in
Score:0
maganthro avatar Server

bypassing mod_security for coding blog on dreamhost

gr flag
maganthro

I've written my own simple blog software to display syntax-highlighted code, and it all works perfectly on my localhost, but I'm having trouble with mod_security on my Dreamhost server.

[Wed Aug 02 06:45:17.149632 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the documentation,</p>\\n<blockquote>... middleware provide a convenient mechanism for inspecting and filter [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.150461 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at REQUEST_BODY. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "53"] [id "921110"] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: lock\\x0alang=\\x22php\\x22\\x0a found within REQUEST_BODY: {\\x22title\\x22:\\x22sharing code for authorised and guest users in laravel\\x22,\\x22slug\\x22:\\x22sharing-code-for-authorised-and-guest-users-in-laravel\\x22,\\x22content\\x22:\\x22<p>my reading order site appears largely the same whether you're a registered user or just a guest. i wanted to use the same code in both cases, with minor changes for authorised users. this is straight foward in traditional php, but it wasn't clear how to do it in..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1" [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.151912 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "[\\\\n\\\\r]" at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the documentation,</p>\\n<blockquote>... middleware provide a convenient mechanism for inspecting and filtering HTTP requests entering your application. For example, Laravel includes a middleware that verifies the user of your application is authenticated.  [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.159647 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?:(?:_(?:\\\\$\\\\$ND_FUNC\\\\$\\\\$_|_js_function)|(?:new\\\\s+Function|\\\\beval)\\\\s*\\\\(|String\\\\s*\\\\.\\\\s*fromCharCode|function\\\\s*\\\\(\\\\s*\\\\)\\\\s*{|this\\\\.constructor)|module\\\\.exports\\\\s*=)" at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the documentation,</p>\\n<blockquote>... middleware provide a convenient mechanism fo [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.163379 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Warning. Pattern match "(?i:(?:[\\"'`](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:c(?:onnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\)]*?|u(?:nion(?:[\\\\w(\\\\s]*?select| select @)|ser\\\\s*?\\\\([^\\\\)]*?)|s(?:chema\\\\s*?\\\\([^\\\\)]*?|elect.*?\\\\w?user\\\\()|in ..." at ARGS_NAMES:{"title":"Sharing Code For Authorised and Guest Users in Laravel","slug":"sharing-code-for-authorised-and-guest-users-in-laravel","content":"<p>My Reading Order site appears largely the same whether you're a registered user or just a guest. I wanted to use the same code in both cases, with minor changes for authorised users. This is straight foward in traditional PHP, but it wasn't clear how to do it in Laravel. Given that no one could answer my question on Stack Overflow, and my question was closed as 'subjective,' I assume that the knowledge I'm about to share isn't exactly common.</p>\\n<h2>The Problem</h2>\\n<p>Laravel comes with a middleware called 'Authenticate', which has an alias of 'auth'. According to the docu [hostname "design.murraygunn.id.au"] [uri "/blog/sharing-code-for-authorised-and-guest-users-in-laravel/update"] [unique_id "ZMpd7eTnEFdRa8HCSnC66wAAAA8"], referer: https://design.murraygunn.id.au/blog/sharing-code-for-authorised-and-guest-users-in-laravel/edit
[Wed Aug 02 06:45:17.175032 2023] [:error] [pid 8910:tid 3605015598848] [client 181.58.38.158:12472] [client 181.58.38.158] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/etc/modsecurity/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "design.murraygunn.id.au"]

I'm the only user allowed to post, so I can probably get away with turning mod_security off, but I'm wondering if there's a way to bypass the problem. Dreamhost doesn't allow modifying mod_security and encodeURLComponent(content) didn't help.

I guess I could write a function to break up problem words, but I'm hoping there's something already available. Any ideas?

39
1 + 2
jp flag
Esa Jokinen
Anomaly score is never an independent detection, but there has been other detections right before it. Please add those log lines.
0
Reply
maganthro avatar
gr flag
maganthro
Done. It's because of coding words like 'post' and 'function'. I'm planning to write a function to break these words up on the client and reform them on the server, but StackOverflow suggested I try here first.
0
Reply
Score:0
avatar Server
jp flag
Esa Jokinen

If the warnings are about the normal operation of the software, the rules could be disabled for the URL. ModSecurity Core Rule Set (CRS), e.g., contains rules for HTML & JavaScript contents on POST data, which are typical on CMS and blog systems that are designed for editing HTML pages in browser.

Find the [id ""] fields from the logs and disable the individual rules causing false positives. It is wise to limit disabling rules to the URLs that requires those adjustments. That way you can avoid lowering the defences for the entire site.

Here, you can find [id "921110"] & [id "949110"]. To disable them in Apache for paths containing /blog/:

<LocationMatch "/blog/">
    SecRuleRemoveById 921110 949110
</LocationMatch>
+ 3
maganthro avatar
gr flag
maganthro
I don't have access to modify the rules. Unless I'm missing something. Dreamhost doesn't allow changing the rules via .htaccess. Is there another way?
0
Reply
jp flag
Esa Jokinen
In that case I'm afraid the issue comes off-topic on Server Fault.
0
Reply
maganthro avatar
gr flag
maganthro
That's what I thought, but the guys on Stack Exchange kept saying that I should try here. Thanks.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.