Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2019-12-27 12:15:25

THE BLUE DRAGON
Member
From: Israel
Registered: 2007-11-16
Posts: 595
Website

ModSecurity issue on Hostgator servers.

Hi, I’m having few sites on Hostgator servers, and since not that long ago I have started to get errors while publishing/saving articles that contains URLs (in custom fields for example).

I have contacted the tech support on Hostgator and they investigating the cause, but I would like to know if it isn’t something that needs to be fixed from Textpattern development side please.

I can’t post content that contains a protocol (http:// or https://).

Here’s the error log:

ModSecurity: Access denied with code 406 (phase 2).
Match of "beginsWith %{request_headers.host}" against "TX:1" required.
[file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "504"] [id "340162"] [rev "302"] 
[msg "Atomicorp.com WAF Rules: Remote File Injection Attack detected (Unauthorized URL detected as argument)"] 
[data ",TX:1"] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/textpattern/index.php"] [unique_id "123456789"], 
referer: https://www.example.com/textpattern/index.php?event=article&step=edit&ID=192&_txp_token=123456789

Offline

#2 2019-12-27 15:21:02

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 8,281
Website

Re: ModSecurity issue on Hostgator servers.

Would it be because of this?


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | NeMe @ github | Covid-19; a resource
I do my best editing after I click on the submit button.

Offline

#3 2019-12-27 21:23:14

gaekwad
Admin
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,169

Re: ModSecurity issue on Hostgator servers.

Following emphasis is mine…

THE BLUE DRAGON wrote #320725:

Hi, I’m having few sites on Hostgator servers, and since not that long ago I have started to get errors while publishing/saving articles that contains URLs (in custom fields for example).

My gut feeling here is that it’s a ModSecurity rule update that’s triggering a false positive. Web application firewalls generally have a learning curve for behaviour, and I suspect it’s a bit too sensitive. I’ve had client sites running fine on Hostgator in the past, and not encountered this issue – and I know for sure one client was using custom fields with external links, including protocols.

Offline

#4 2019-12-28 05:41:08

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 8,281
Website

Re: ModSecurity issue on Hostgator servers.

I’m wondering if you can switch mod_security off for your IP – if you are using a static one.


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | NeMe @ github | Covid-19; a resource
I do my best editing after I click on the submit button.

Offline

#5 2019-12-28 12:47:27

THE BLUE DRAGON
Member
From: Israel
Registered: 2007-11-16
Posts: 595
Website

Re: ModSecurity issue on Hostgator servers.

Thanks, from my testing, the issue is only with custom fields, as I do able to publish/save articles with links in the body/excerpt/description/keywords fields.
Does changing the type of the custom fields in the database can help? if so then to which type should I change the custom fields to test it please?

Offline

#6 2019-12-28 16:39:40

gaekwad
Admin
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 3,169

Re: ModSecurity issue on Hostgator servers.

Your best route to a solution is to file a false positive with ModSecurity, since it appears it’s their software that’s triggered this error. It may be that Hostgator have just installed ModSecurity to the server you are on, but that’s unlikely (and arguably short-sighted during the December holiday period for a lot of people).

Hacking Textpattern to get around a ModSecurity alert is not really sustainable – and it may be that it’s a genuine oversight that can be reverted or fixed. This is probably a good place to start: wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives

Last edited by gaekwad (2019-12-28 16:39:54)

Offline

#7 2019-12-28 18:13:18

THE BLUE DRAGON
Member
From: Israel
Registered: 2007-11-16
Posts: 595
Website

Re: ModSecurity issue on Hostgator servers.

Thanks I will forward this info to Hostgator tech support and hope for good.
In the meantime I’m adding the protocol in the code and posting the links without a protocol and using rah_replace plugin.

<a href="http://<txp:rah_replace from="http://,https://" to=""><txp:custom_field name="link" /></txp:rah_replace>">My link text</a>

Offline

Board footer

Powered by FluxBB