modsec rule triggered but not showing 403

Discussion in 'General' started by hd-sam, Sep 7, 2013.

  1. hd-sam

    hd-sam Member

    I have an issue where a modsec rule is triggered but it is not sending the user to the 403 page.

    It keeps the user on the same page and shows the page as requested.
    For example, If I trigger modsec by typing in:


    www.yourdomain.com/?<script>alert(1)</script>

    The server error log shows:
    Code:
    2013-09-07 02:43:06.890 [NOTICE] [IPREDACTED:55860-0#APVH_redacteddomain.com] mod_security rule triggered! 
    [Sat Sep  7 02:43:06 2013] [error] [client IPREDACTED] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_HEADERS:Referer' '!(clientscript/yui/connection/javascript\:false$)']
     [ID: 340003] [Msg: Atomicorp.com WAF Rules: XSS attack in request headers]2013-09-07 02:43:06.890 [NOTICE] [IPREDACTED:55860-0#APVH_redacteddomain.com] Content len: 0, Request line: 'GET /a/img/?image=520256e32e5f881be1c06.jpg&id=23 HTTP/1.1'
    2013-09-07 02:43:06.890 [INFO] [IPREDACTED:55860-0#APVH_redacteddomain.com] Cookie len: 728, __utma=144074919.161903994.1378026335.1378532921.1378539082.5; __utmz=144074919.1378026335.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-10049247-1378026334968; utag_main=_st:1378541590120$ses_id:1378539788616%3Bexp-session; bb_lastvisit=1378245702; bb_lastactivity=0; bb_; bb_thread_lastview=91f3ccb24e1ded483a614104c1e4550e0307485da-1-%7Bi-121862_i-1378523582_%7D; bb_np_notices_displayed=2; __utmc=144074919; PHPSESSID=2236074a8ff1b46f2578fb0b0c91395d; s_sess=%20s_ppv%3D100%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B; bb_cpsession=8a78e2f10a99f87a0b60ca4db4858821; bb_userid=553; bb_password=734fa0d5a0ba61fa3a4e59184f575f44; __utmb=144074919.17.10.1378539082
    2013-09-07 02:43:06.892 [NOTICE] [IPREDACTED:55861-0#APVH_redacteddomain.com] mod_security rule triggered! 
    [Sat Sep  7 02:43:06 2013] [error] [client IPREDACTED] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_HEADERS:Referer' '!(clientscript/yui/connection/javascript\:false$)']
     [ID: 340003] [Msg: Atomicorp.com WAF Rules: XSS attack in request headers]2013-09-07 02:43:06.892 [NOTICE] [IPREDACTED:55861-0#APVH_redacteddomain.com] Content len: 0, Request line: 'GET /a/img/?image=5228ed033ed49841ab88f.jpg&id=72 HTTP/1.1'
    However the page still renders for the user and it does not say forbidden or send them to the 403 page.

    This is a cPanel server with LSWS
  2. mistwang

    mistwang LiteSpeed Staff

    could be a rewrite rule rewrite the custom 403 page ?
    You can enable rewrite logging along with debug logging.

Share This Page