I'm having some trouble dealing with two false positives. This is cPanel's
implementation of OWASP ver.3.0.0, as nearly as I can tell (from /etc
/OWASP/modsecurity_crs_10_setup.conf). I've masked some possibly sensitive

523939:[Thu Dec 01 10:25:39.244073 2016] [:error] [pid 24880] [client
xx.xx.xxx.xxx] ModSecurity: Access denied with redirection to
http://www.example.com/ using status 302 (phase 2). Pattern match
"\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:returnUrl.
[line "219"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"]
[severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "6"] [accuracy "8"]
[tag "Host: www.example.com"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag
"OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [hostname "www.example.com"] [uri
"/xxx.php"] [unique_id "WEBA83cQjKbwhNpTYWkudQAAAAQ"]

526747:[Thu Dec 01 10:41:28.958952 2016] [:error] [pid 26285] [client
xx.xx.xxx.xxx] ModSecurity: Access denied with redirection to
http://www.example.com/ using status 302 (phase 2). Match of "beginsWith
%{request_headers.host}" against "TX:1" required. [file
[line "30"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion
(RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data:
found within TX:1:
[severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"]
[tag "Host: www.example.com"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-remote file
inclusion"] [tag "OWASP_CRS/WEB_ATTACK/RFI"] [hostname "www.example.com"]
[uri "/xxx.php"] [unique_id "WEBEqF9us8Ws-b6n3kgKmAAAAAI"]

I've confirmed that those rules are the problem by temporarily disabling
them, but I would like to create an exception instead. I am trying to use
the "add rule" function in cPanel's WHM/Security
Center/ModSecurity/Tools/Rules List. Here is what I'm trying to add (singly
and both at once):

SecRuleUpdateTargetById 950109 !ARGS:'another.example.com'
SecRuleUpdateTargetByID 950120 !ARGS_NAMES:'another.example.com'

When I try to save and deploy, here is what I get in the cPanel error log:

[2016-12-01 16:09:21 -0500] warn [xml-api] The system failed to deploy the
changes for “modsec/modsec2.user.conf”: The system could not validate the
new Apache configuration because httpd exited with a nonzero value. Apache
produced the following error: AH00526: Syntax error on line 1 of
Updating target by ID with no ruleset in this context

I've tried various combinations of single quotes, double quotes, no quotes,
but to no avail. It's up to the server vendor to file a ticket with cPanel
and they say it's not appropriate to do that for a syntax error.


I did file reports via cPanel earlier today and got auto-replies from
secur...@modsecurity.org assigning ticket nos. 1332 and 1333, but nothing
Owasp-modsecurity-core-rule-set mailing list

Reply via email to