1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Replying to thread containing trigger words causes error

Discussion in 'Troubleshooting and Problems' started by Biker, May 22, 2012.

  1. Biker

    Biker Well-Known Member

    It appears mod_security is triggering on the word nmap within a forum post, preventing replies to the thread.

    The mod_security log shows the following:

    Code:
    Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?
    \\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:eek:ute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:X-Ajax-Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg "System Command Injection"] [data "/nmap-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]
    Only thing that has changed on the server is the installation of XenForo. I haven't had to fiddle with the mod_security rules for ages.
     
  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

  3. Biker

    Biker Well-Known Member

    I'm not sure it's a mod_security issue, though. This behavior has not been noted with other forum software packages. Only XenForo. Why would mod_security, which has been working fine for ages, all of a sudden decide that a thread is a security risk? Especially when the only change on the server has been the installation of XenForo.

    The original post is accepted. It's only replies that are prevented. This would tend to indicate that it's not really a mod_security issue.
     
  4. Digital Doctor

    Digital Doctor Well-Known Member

    other bad words:
    ping
    nmap
    wget
    tftp

    you can use the censor system to change the words to something else.
    p-i-n-g
    etc.
     
  5. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    As Digital Doctor said, there are keywords that your mod_security rules don't like. So the error might only happen when a post contains one of those keywords.
     
  6. Biker

    Biker Well-Known Member

    Yes. I know it's key words. But what is different in how Xen Foro treats replies? IPB and vB have no issues with this. So why am I now getting this issue with Xen Foro? Especially when the mod_security rules have not changed?

    I can create the thread with the key words. No problem. Post is accepted. However, any reply is now blocked via mod_security. This would appear that it's a Xen Foro issue, not a mod_security issue. Especially since it only happens in Xen Foro.
     
  7. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    Maybe AJAX? Quick replies use AJAX. Try using the full reply form instead.

    Just guessing.
     
  8. Biker

    Biker Well-Known Member

    No go. There's something in the reply process that's triggering mod_security.
     
  9. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    If so then mod_security needs to be reconfigured to fix the false positive.

    The log you posted says "REQUEST_HEADERS:X-Ajax-Referer". That would seem to indicate that it's looking at the referer header in AJAX requests. The referer in this case would be the URL of the thread. So if the thread URL contains one of those keywords then it will trigger the error. So the thread title (which is in the URL) may be the trigger, not the content of the post.
     
  10. Chris D

    Chris D XenForo Developer Staff Member

    It is a mod_security issue if it's blocking something perfectly legitimate that shouldn't be blocked. Regardless of what other software it does or doesn't work with, if it's configured to block something it shouldn't then that is purely a fault with mod_security.
     

Share This Page