Mod Security issue J4/J5 upon saving

[channingb]

Steps to reproduce the issue

I posted in #43510 also, but the posts were in May. Apologies for my ignorance.

Since our hosting company heightened security last week due to "a huge rash of bot attacks against WHMCS systems", we are experiencing mod_security rules being triggered.

php errors, "page not found" (see below). It occurs doing many different tasks. Convert Forms component does not show the full form builder, adding an image using JCE Editor in article manager will fail to save but does not seem to break in YTP Page builder, cannot save in styles or other YTP builder areas, adding image in JSitemap failed, etc.

Error
2024-08-16T18:10:15+00:00 CRITICAL 149.106.104.144 error Uncaught Throwable of type Joomla\CMS\Router\Exception\RouteNotFoundException thrown with message "Page not found". Stack trace: #0 [ROOT]/libraries/src/Application/SiteApplication.php(746): Joomla\CMS\Router\Router->parse(Object(Joomla\CMS\Uri\Uri), true)
#1 [ROOT]/libraries/src/Application/SiteApplication.php(232): Joomla\CMS\Application\SiteApplication->route()
#2 [ROOT]/libraries/src/Application/CMSApplication.php(293): Joomla\CMS\Application\SiteApplication->doExecute()
#3 [ROOT]/includes/app.php(61): Joomla\CMS\Application\CMSApplication->execute()
#4 [ROOT]/index.php(32): require_once('/home/fullcirc/...')
#5 {main}

Expected result

Saving without mod_security rule being triggered and not having to white-list mod rules.

Actual result

"page not found" and will not save.

System information (as much as possible)

We have 30 sites either in J4 or J5. This is one sample
J4 4.4.6
PHP 8.1
Apache server

Additional comments

We have done quite a bit of white listing which is not ideal. Today, the host whitelisted 941100 and 941160. Both, they said, are there to protect against XSS attacks. And we will have another 27 sites to go through.

One developer said it was the hosting company's issue, and the host thinks differently.

Thank you.

[channingb]

A follow up. The hosting company had to replace the whole ruleset on one of our websites to make things work. They are not having this issue with other CMSystems on their servers.

[brianteeman]

What are the contents of the log with the mod_security message

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43931.}

[channingb]

Hi Sir: Are you referring to what the hosting company is seeing? Or the logs in the error.php in Joomla!? Please note, I am not a developer, but do my best to figure these things out for our clients, I am a designer with access to cPanel and the php logs in Joomla! and can figure my way around. Thank you for taking a look. Let me know specifically what you need from the hosting company and me, I will get on it. Channing Meyer Full Circle Creative 970-213-3779 ***@***.***

…

On Aug 16, 2024, at 2:45 PM, Brian Teeman ***@***.***> wrote: What are the contents of the log with the mod_security message This comment was created with the J!Tracker Application <https://github.com/joomla/jissues> at issues.joomla.org/tracker/joomla-cms/43931 <https://issues.joomla.org/tracker/joomla-cms/43931>. — Reply to this email directly, view it on GitHub <#43931 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHASFUOU3BN4V3FR5ZI2FDLZRZQFDAVCNFSM6AAAAABMURYMDWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJUGIYTSMJZG4>. You are receiving this because you authored the thread.

[brianteeman]

You need to ask them for the entry in the log file which shows which mod_Security rule was triggered etc.

For example it might look something like this

[Wed Jan 05 20:23:22.752498 2022] [:error] [pid 165040:tid 140426547775232] [client 37.115.218.47:62721] [client 37.115.218.47] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (MS Web Services Client Protocol|WormlyBot|webauth@cmcm\\\\.com)" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/httpd/modsecurity.d/modsec/20_asl_useragents.conf"] [line "402"] [id "397989"] [rev "1"] [msg "Atomicorp.com WAF Rules: MSIE 6.0 detected (Disable if you want to allow MSIE 6)"] [severity "WARNING"] [hostname "xxxxxxxxx"] [uri "/"] [unique_id "YdZEivaOI3qA9-ycvDePjwAAANI"], referer: https://spinazdrav.ru/

PS my gut feeling is that it is a hosting issue or we would be seeing a lot of reports

[channingb]

Hi Brian: Thanks for getting back to me and appreciate your assistance. It may be a hosting issue or a combination, of things occurring across al parts of this, I don’t know but having done a bit of forensics, sometimes many possibilities. I want to provide the hosting company and you/Joomla! with whatever I can to help resolve and improve. My goal is to find out how to avoid this in the future and obviously take care of our clients. . Here is a list of some of the mods triggered. I do not have any more than the two mentioned in my initial post. Do you need the actual log or will this list help? 33314 33345 77350455 77350477 77350746 941100 941140 941160 942350 942360 949110 980130 Channing Meyer Full Circle Creative 970-213-3779 ***@***.***

…

On Aug 16, 2024, at 3:54 PM, Brian Teeman ***@***.***> wrote: You need to ask them for the entry in the log file which shows which mod_Security rule was triggered etc. For example it might look something like this [Wed Jan 05 20:23:22.752498 2022] [:error] [pid 165040:tid 140426547775232] [client 37.115.218.47:62721] [client 37.115.218.47] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (MS Web Services Client ***@***.***\\\\.com)" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/httpd/modsecurity.d/modsec/20_asl_useragents.conf"] [line "402"] [id "397989"] [rev "1"] [msg "Atomicorp.com WAF Rules: MSIE 6.0 detected (Disable if you want to allow MSIE 6)"] [severity "WARNING"] [hostname "xxxxxxxxx"] [uri "/"] [unique_id "YdZEivaOI3qA9-ycvDePjwAAANI"], referer: https://spinazdrav.ru/ PS my gut feeling is that it is a hosting issue or we would be seeing a lot of reports — Reply to this email directly, view it on GitHub <#43931 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHASFUM45XTW6UHINHT3I7TZRZYKDAVCNFSM6AAAAABMURYMDWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJUGM3DEMJRGQ>. You are receiving this because you authored the thread.

[brianteeman]

only the actual log is of any use as that will show what triggered mod_security as well as the rule that was triggered.

obviously this is not a normal thing to happen as virtually all hosts use mod_security and as you've seen no one else is reporting an issue. mu gut feeling is that the host has not correctly hardened their servers but without the logs thats all it is.

[channingb]

Thanks Brian for your help. Our communication and your help did nudge the host to change their rules to Immunify from OWASP. Appreciate your work and timeliness. Channing Meyer Full Circle Creative 970-213-3779 ***@***.***

…

On Aug 19, 2024, at 10:56 AM, Brian Teeman ***@***.***> wrote: only the actual log is of any use as that will show what triggered mod_security as well as the rule that was triggered. obviously this is not a normal thing to happen as virtually all hosts use mod_security and as you've seen no one else is reporting an issue. mu gut feeling is that the host has not correctly hardened their servers but without the logs thats all it is. — Reply to this email directly, view it on GitHub <#43931 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHASFUKF2JDDADQUDH5BL33ZSIPULAVCNFSM6AAAAABMURYMDWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJXGAZDAMRQHE>. You are receiving this because you authored the thread.

[brianteeman]

great that your host worked out how to configure their server correctly.

This can now be closed