Security issue with IE8 and mod_security2

[lextech]

A customer wrote to me:

 

I tried a work computer. I installed Chrome on the work computer. Tried creating an account from the Android phone.

 

406 Not Acceptable

An appropriate representation of the requested resource /osCommerce/password_forgotten.php could not be found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

The above message I?m getting when I do a ?forgot password?

 

Similarly after I fill the fields for create account I get:

 

406 Not Acceptable

An appropriate representation of the requested resource /osCommerce/create_account.php could not be found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I believe we have narrowed down the error to the server side. Please look into it.

 

So I wrote my server host and her wrote this back as a response:

 

Turning off mod_security2...

 

1. Increases the chances of your site being hacked

 

2. Increase the chances of your site violating the policy when it is hacked. They will upload paypal phishing pages, send spam, etc.

 

3. Increases the chances of your site overloading the server resulting in downtime for everyone

 

4. Increase the chances of your site being immediately deleted from the server when it causes a problem for the server.

 

 

 

If you want mod_security2 turned off for your domain, reopen this ticket and...

 

1. Provide the account ID. The account ID is the domain name listed in the activation notice and in invoices

 

2. Provide the domain name in which you want mod_security2 turned off

 

3. Provide that domain's correct username

 

4. Send statement: "I will keep all of my scripts up-to-date on a daily basis."

 

 

I have tried searching around and I am not seeing the proper fix for this so users can use my site. I just want to be accessible again by everyone. This is a real issue with most people using IE8. What is the proper fix without having to write the host back?

[Taipo]

mod_security2 is an apache mod, its not something you can install on your website or uninstall. But it is possible for your domain host to switch that mod off for your website. What they are asking you to do is send them your website information and agree to a disclaimer and they will let your site pass thru the mod_security2 firewall without filtering.

[lextech]

what is making the users get caught by the mod_security2? Some users have no issue. I have used this host for 8 years I hate to do something that would get me banned if I get hacked.

[Taipo]

You would have to determine the difference between those users. What browsers they are using in particular.

If you know of a user that is getting this error, then try adding this to your htaccess

SecFilterEngine off

 

And request that affected user try it out and see if that has cleared the problem. Modsecurity is a bit like a packet filter that among other things monitors POST data like that when you try to log in. If they have tweaked it a bit much then it may for example be banning the use of @ in post data.

 

If that code above results in the error clearing, then remove it (as that will turn modsecurity completely off for your site, and add the following:

SecFilterEngine On
SecFilterSelective "REQUEST_URI" "/osCommerce/password_forgotten.php" "allow,nolog"

That should allow modsecurity to ignore that particular file, rather than the entire website.

[lextech]

Thank you for the suggestion. I got internal server error when I added it to my HTACCESS. I stuck it near the top by itself away from the security mods.

[Taipo]

Probably means your ISP does not allow local manipulation of SecFilterEngine....which is a good thing.

 

You will have to contact them directly then as they suggested in that message, and offer them this option asking if it is possible to just allow the password_forgotten.php thru the modsec firewall.

 

SecFilterSelective "REQUEST_URI" "/osCommerce/password_forgotten.php" "allow,nolog"

 

If they say no, they will probably re-offer to you the option to either leave mod_security2 as it is, or switched off for your site.

[lextech]

How severe of a hole am I opening by turning that off? I have forums, galleries and a home page on my site as well as the OSC install.

[Taipo]

Well if they agree to just turn it off for the lost password, as in write an exception rule to bypass filtering for those two files alone, it should be fine...this is of course, if that is even possible for them to do.

 

If that is the case you would need to add in a whitelist filter for email addresses into the top of both the lost password page and create account page under the application_top.php include. Something along the lines of what has been discussed in other discussion threads (but with amendments just for an email address):

 

reset($_POST); 
         while (list($key, $value) = each($_POST)) { 
                  if (!is_array($_POST[$key])) { 
                         $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@_.-]/i", "", urldecode($_POST[$key])); 
               } else { unset($_POST[$key]); } // no arrays expected  
         }

 

But that comes down to in the end, the server admin being able to write in firewall rule exceptions just for those two pages.

 

If they cannot then that is another bridge that will have to be crossed when you get to that point. But to be honest, if people are having problems with input fields on those two pages, I would suggest that they would be having probs with any field inputs period. So even if your host could write in exceptions for those two files, you might find you get further complaints from others concerning other pages that have user data inputted.

 

But that is just conjecture on my part, best try it out and see what they say, and see if that even clears the problem.

 

My suspicions are up though especially since some users have no issue which sounds to me like something more local like browser problems or even something as simple as cookie caches. mod_security2 would be indiscriminent, and if it had a conflict with a user input returning unacceptable data to the server then it could well be something particular browers are doing rather than the mod itself.