Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
ModSecurity issue on Hostgator servers.
Hi, I’m having few sites on Hostgator servers, and since not that long ago I have started to get errors while publishing/saving articles that contains URLs (in custom fields for example).
I have contacted the tech support on Hostgator and they investigating the cause, but I would like to know if it isn’t something that needs to be fixed from Textpattern development side please.
I can’t post content that contains a protocol (http:// or https://).
Here’s the error log:
ModSecurity: Access denied with code 406 (phase 2).
Match of "beginsWith %{request_headers.host}" against "TX:1" required.
[file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "504"] [id "340162"] [rev "302"]
[msg "Atomicorp.com WAF Rules: Remote File Injection Attack detected (Unauthorized URL detected as argument)"]
[data ",TX:1"] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/textpattern/index.php"] [unique_id "123456789"],
referer: https://www.example.com/textpattern/index.php?event=article&step=edit&ID=192&_txp_token=123456789Offline
Re: ModSecurity issue on Hostgator servers.
Would it be because of this?
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: ModSecurity issue on Hostgator servers.
Following emphasis is mine…
THE BLUE DRAGON wrote #320725:
Hi, I’m having few sites on Hostgator servers, and since not that long ago I have started to get errors while publishing/saving articles that contains URLs (in custom fields for example).
My gut feeling here is that it’s a ModSecurity rule update that’s triggering a false positive. Web application firewalls generally have a learning curve for behaviour, and I suspect it’s a bit too sensitive. I’ve had client sites running fine on Hostgator in the past, and not encountered this issue – and I know for sure one client was using custom fields with external links, including protocols.
Offline
Re: ModSecurity issue on Hostgator servers.
I’m wondering if you can switch mod_security off for your IP – if you are using a static one.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: ModSecurity issue on Hostgator servers.
Thanks, from my testing, the issue is only with custom fields, as I do able to publish/save articles with links in the body/excerpt/description/keywords fields.
Does changing the type of the custom fields in the database can help? if so then to which type should I change the custom fields to test it please?
Offline
Re: ModSecurity issue on Hostgator servers.
Your best route to a solution is to file a false positive with ModSecurity, since it appears it’s their software that’s triggered this error. It may be that Hostgator have just installed ModSecurity to the server you are on, but that’s unlikely (and arguably short-sighted during the December holiday period for a lot of people).
Hacking Textpattern to get around a ModSecurity alert is not really sustainable – and it may be that it’s a genuine oversight that can be reverted or fixed. This is probably a good place to start: wiki.atomicorp.com/wiki/index.php/Reporting_False_Positives
Last edited by gaekwad (2019-12-28 16:39:54)
Offline
Re: ModSecurity issue on Hostgator servers.
Thanks I will forward this info to Hostgator tech support and hope for good.
In the meantime I’m adding the protocol in the code and posting the links without a protocol and using rah_replace plugin.
<a href="http://<txp:rah_replace from="http://,https://" to=""><txp:custom_field name="link" /></txp:rah_replace>">My link text</a>Offline