Replying to thread containing trigger words causes error

[Biker]

It appears mod_security is triggering on the word nmap within a forum post, preventing replies to the thread.

The mod_security log shows the following:

Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?
\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:eek:ute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:X-Ajax-Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg "System Command Injection"] [data "/nmap-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]

Only thing that has changed on the server is the installation of XenForo. I haven't had to fiddle with the mod_security rules for ages.

 

[Jake Bunce]

Other people have had this problem:

http://xenforo.com/community/threads/error-posting-message.31027/

As you discovered, it's a problem with a mod_security rule. You need to disable mod_security or change the rule which may be a job for your host or server person.

 

[Biker]

I'm not sure it's a mod_security issue, though. This behavior has not been noted with other forum software packages. Only XenForo. Why would mod_security, which has been working fine for ages, all of a sudden decide that a thread is a security risk? Especially when the only change on the server has been the installation of XenForo.

The original post is accepted. It's only replies that are prevented. This would tend to indicate that it's not really a mod_security issue.

 

[Digital Doctor]

other bad words:
ping
nmap
wget
tftp

you can use the censor system to change the words to something else.
p-i-n-g
etc.

 

[Jake Bunce]

I'm not sure it's a mod_security issue, though. This behavior has not been noted with other forum software packages. Only XenForo. Why would mod_security, which has been working fine for ages, all of a sudden decide that a thread is a security risk? Especially when the only change on the server has been the installation of XenForo.

The original post is accepted. It's only replies that are prevented. This would tend to indicate that it's not really a mod_security issue.

As Digital Doctor said, there are keywords that your mod_security rules don't like. So the error might only happen when a post contains one of those keywords.

 

[Biker]

Yes. I know it's key words. But what is different in how Xen Foro treats replies? IPB and vB have no issues with this. So why am I now getting this issue with Xen Foro? Especially when the mod_security rules have not changed?

I can create the thread with the key words. No problem. Post is accepted. However, any reply is now blocked via mod_security. This would appear that it's a Xen Foro issue, not a mod_security issue. Especially since it only happens in Xen Foro.

 

[Jake Bunce]

Maybe AJAX? Quick replies use AJAX. Try using the full reply form instead.

Just guessing.

 

[Biker]

No go. There's something in the reply process that's triggering mod_security.

 

[Jake Bunce]

No go. There's something in the reply process that's triggering mod_security.

If so then mod_security needs to be reconfigured to fix the false positive.

The log you posted says "REQUEST_HEADERS:X-Ajax-Referer". That would seem to indicate that it's looking at the referer header in AJAX requests. The referer in this case would be the URL of the thread. So if the thread URL contains one of those keywords then it will trigger the error. So the thread title (which is in the URL) may be the trigger, not the content of the post.

 

[Chris D]

This would tend to indicate that it's not really a mod_security issue.

It is a mod_security issue if it's blocking something perfectly legitimate that shouldn't be blocked. Regardless of what other software it does or doesn't work with, if it's configured to block something it shouldn't then that is purely a fault with mod_security.