Saturday, August 27, 2016

Mod_security issues with Roundcube, opencloud and other software

In case you find roundcube, opencloud or any other software working under apache/mod_security server having issues or strange behaviour check /var/log/httpd/modsec_audit.log for errors.

In my case I was not able to send/forward emails with national ("non-english") characters in the message content.

Some of the mod_security rules are outdated and they can produce false-positives.

Sample issue:
Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:_message. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: ):\x0d\x0a>  found within ARGS:_message:...

If you believe that rule is not needed for your application you need to edit httpd.conf and add following rule to your (VirtualHost) config:
SecRuleRemoveById 960024

Restart apache, check if your app works now, if not - check for more issues in modsec_audit.log.

1 comment:

  1. I have never faced this issue. But thank you for posting a step by step solution to the problem. I’m sure a lot of people found this post helpful.