mod security blocking Google connected account

[Simon]

I've just set up connected accounts for Google, but it appears that mod security on my vps is blocking the redirect back to connected_account.php. Does anyone know of a rule that I can add to overcome this issue?

[client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Matched phrase ".profile" at ARGS:scope. [file "/etc/apache2/modsecurity.d/rules/comodo_free/08_Global_Other.conf"] [line "57"] [id "210580"] [rev "2"] [msg "COMODO WAF: OS File Access Attempt||mydomain.com|F|2"] [data "Matched Data: .profile found within ARGS:scope: email profile https:/www.googleapis.com/auth/userinfo.profile https:/www.googleapis.com/auth/userinfo.email openid"] [severity "CRITICAL"] [tag "CWAF"] [tag "Other"] [hostname "mydomain.com"] [uri "/connected_account.php"] [unique_id "wwwvvvvvvvvvvsssssssssssss"], referer: https://mydomain.com/

 

[fly]

I know its a terrible answer, but I'd solve it by getting rid of Mod Security. It's been a long time since I've used it, but I remember it being a real PITA unless you were really on top of things.

 

[bzcomputers]

...Does anyone know of a rule that I can add to overcome this issue?

For starters you need to disable rule #210580, but it doesn't typically end there. Once that rule is disabled it is not unusual for another rule or 5 to be triggered by the same thing. You will need to disable all those also.

There are numerous ModSecurity rules incompatible with XenForo. The issue is that depending on the rules vendor and rules version you have installed the rule ids will be different. So you can't just take someone else's rule id list that they turned off to clear all XenForo issues and expect the same results.

 

[Marcus]

That’s the answer. Modsecurity isnt click and forget. It is a constant hassle. Within modsecurity there is a group of rules to work with xenforo.