Portal Home > Knowledgebase > Articles Database > Mod_Security false positive, how can I whitelist?
Mod_Security false positive, how can I whitelist?
Posted by gpl24, 02-18-2011, 04:07 AM |
Any URL I have with the name "Union" gets an error, how can I bypass mod security for these pages, as they are legit pages?
I am using the default mod security rules.
|
Posted by SunShellHosting, 02-18-2011, 04:46 AM |
Check apache log and white list the rule.
|
Posted by gpl24, 02-22-2011, 11:15 PM |
modsec_audit.log doesn't have any mentions of this, or how to fix it.
There are plenty of other errors that got logged; but not this certain hit that I am trying to whitelist.
|
Posted by asciiDigital, 02-22-2011, 11:48 PM |
SecRule ARGS:variablename “Union” phase:1,nolog,allow,ctl:ruleEngine=off
|
Posted by gpl24, 02-24-2011, 04:12 PM |
Tried that fix, but it didn't work.
Here is my mod_security entry from WHM:
|
Posted by gpl24, 02-28-2011, 06:59 AM |
Am I looking in the wrong spot, perhaps?
|
Posted by Patrick, 02-28-2011, 10:11 AM |
It's possible. I know on our servers we have two mod_security config files but only one is used. Take a look under /usr/local/apache/conf and you should see either modsec2.conf or modsecurity2.conf or both. If you wanted to whitelist a domain from using mod_security then add the following line to the configuration files before the tag at the top:
SecRule SERVER_NAME "domain.com" phase:1,nolog,allow,ctl:ruleEngine=off
|
Posted by gpl24, 03-01-2011, 10:32 PM |
Found this under /usr/local/apache/conf/modsec2.user.conf:
I tried opening the included files, but the .so's were unreadable (@'s & squiggly lines), /usr/local/apache/conf/modsec2.user.conf is the same file I've been reading from WHM. I did a search for "union" in the body, but couldn't locate any rule triggering "union"
Couldn't locate these files:
logs/modsec_audit.log
logs/modsec_debug_log
I'm not sure I want to whitelist the domain (there's only 1 site on this server), but I'd like to whitelist particular URLs/pages, at least.
|
Posted by gpl24, 03-02-2011, 12:19 AM |
Figured it out.
A 3rd party security addon I use in my php scripts:
By removing union I regain access to these pages. However, will mod_security still protect me if an attacker does a union probe?
|
Add to Favourites Print this Article
Also Read