• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Replying to thread containing trigger words causes error

Biker

Well-known member
#1
It appears mod_security is triggering on the word nmap within a forum post, preventing replies to the thread.

The mod_security log shows the following:

Code:
Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?
\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:eek:ute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:X-Ajax-Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg "System Command Injection"] [data "/nmap-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]
Only thing that has changed on the server is the installation of XenForo. I haven't had to fiddle with the mod_security rules for ages.
 

Biker

Well-known member
#3
I'm not sure it's a mod_security issue, though. This behavior has not been noted with other forum software packages. Only XenForo. Why would mod_security, which has been working fine for ages, all of a sudden decide that a thread is a security risk? Especially when the only change on the server has been the installation of XenForo.

The original post is accepted. It's only replies that are prevented. This would tend to indicate that it's not really a mod_security issue.
 

Jake Bunce

XenForo moderator
Staff member
#5
I'm not sure it's a mod_security issue, though. This behavior has not been noted with other forum software packages. Only XenForo. Why would mod_security, which has been working fine for ages, all of a sudden decide that a thread is a security risk? Especially when the only change on the server has been the installation of XenForo.

The original post is accepted. It's only replies that are prevented. This would tend to indicate that it's not really a mod_security issue.
As Digital Doctor said, there are keywords that your mod_security rules don't like. So the error might only happen when a post contains one of those keywords.
 

Biker

Well-known member
#6
Yes. I know it's key words. But what is different in how Xen Foro treats replies? IPB and vB have no issues with this. So why am I now getting this issue with Xen Foro? Especially when the mod_security rules have not changed?

I can create the thread with the key words. No problem. Post is accepted. However, any reply is now blocked via mod_security. This would appear that it's a Xen Foro issue, not a mod_security issue. Especially since it only happens in Xen Foro.
 

Jake Bunce

XenForo moderator
Staff member
#9
No go. There's something in the reply process that's triggering mod_security.
If so then mod_security needs to be reconfigured to fix the false positive.

The log you posted says "REQUEST_HEADERS:X-Ajax-Referer". That would seem to indicate that it's looking at the referer header in AJAX requests. The referer in this case would be the URL of the thread. So if the thread URL contains one of those keywords then it will trigger the error. So the thread title (which is in the URL) may be the trigger, not the content of the post.
 

Chris D

XenForo developer
Staff member
#10
This would tend to indicate that it's not really a mod_security issue.
It is a mod_security issue if it's blocking something perfectly legitimate that shouldn't be blocked. Regardless of what other software it does or doesn't work with, if it's configured to block something it shouldn't then that is purely a fault with mod_security.