Jump to content
EMar

Forbidden You don't have permission to access /staff/settings/company/plugins/manage/5/ on this server.

Recommended Posts

Hmm I was trying to edit the portal module text and after saving got this

Forbidden You don't have permission to access /staff/settings/company/plugins/manage/5/ on this server.

Would it have anything to do with mod security which I enabled the other day on CentOs Panel?

Share this post


Link to post
Share on other sites

It could be mod_security, sure.. or it could possibly be improper ACL permissions for your staff user. Check your staff group and ensure you have full access. Settings > System > Staff > Staff Groups: Edit

Share this post


Link to post
Share on other sites

For some reason I created two staff members, but with the same info,

Each assigned to a different department, billing and support.

I've ticked every box at System > Staff > Staff Groups, for both users, but still can't edit that portal module.

EDIT

Actually I disable mod_security in the server and was able to edit the portal module.
So any idea how to fix this when mod_security is enabled?

Share this post


Link to post
Share on other sites

You need to look at the relevant log. There may be a specific mod_sec log or in your Apache etc log.

In there it will list what caused mod_sec to kick in. There will be an ID of the mod_sec rule that caused the false positive.

Disable that ID.

Share this post


Link to post
Share on other sites

I logged into CentOS Control Panel 7 and clicked Mod Security under the Security tab.

Last 20 Lines matching ModSecurity from Error log file: /usr/local/apache/logs/error_log

[Tue Apr 24 01:08:09.218692 2018] [:error] [pid 255567:tid 1402356545764868i24] [client 11.110.113.232:63250] [client 11.110.113.232] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\\\s*?\\\\(\\\\s*?select)|(?:\\\\d+\\\\s*?(x?or|div|like|between|and)\\\\s*?\\\\d+\\\\s*?[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*?(?:drop|alter))|(?:(?:;|#|--)\\\\s*?(?:update|i ..." at ARGS:content. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"] [id "9667848"] [msg "Detects chained SQL injection attempts 1/2"] [data "Matched Data: div class=\\x22 found within ARGS:content:     <div class=\\x22col-md-12\\x22>\\x0d\\x0a        <div class=\\x22thanks\\x22>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a</div>\\x0d\\x0a    </div>\\x0d\\x0a\\x0d\\x0a    <div class=\\x22col-md-4 col-sm-6 portal-box\\x22>\\x0d\\x0a        <a href=\\x22{client_url}login/\\x22>\\x0d\\x0a            <div class=\\x22well\\x22>\\x0d\\x0a                <i class=\\x22fa fa-cogs fa-4x\\x22></i>\\x0d\\x0a                <h4>My Account</h4>\\x0d\\x0a                <p>Log in here to manage your ac [hostname "clients.domain.com"] [uri "/staff/settings/company/plugins/manage/5/"] [unique_id "%^$%6DeSztztryrrtrggJxJwAAAM8"], referer: https://clients.domain.com/staff/settings/company/plugins/manage/5/

Share this post


Link to post
Share on other sites
16 hours ago, EMar said:

I logged into CentOS Control Panel 7 and clicked Mod Security under the Security tab.

Last 20 Lines matching ModSecurity from Error log file: /usr/local/apache/logs/error_log


[Tue Apr 24 01:08:09.218692 2018] [:error] [pid 255567:tid 1402356545764868i24] [client 11.110.113.232:63250] [client 11.110.113.232] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\\\s*?\\\\(\\\\s*?select)|(?:\\\\d+\\\\s*?(x?or|div|like|between|and)\\\\s*?\\\\d+\\\\s*?[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*?(?:drop|alter))|(?:(?:;|#|--)\\\\s*?(?:update|i ..." at ARGS:content. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"] [id "9667848"] [msg "Detects chained SQL injection attempts 1/2"] [data "Matched Data: div class=\\x22 found within ARGS:content:     <div class=\\x22col-md-12\\x22>\\x0d\\x0a        <div class=\\x22thanks\\x22>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a</div>\\x0d\\x0a    </div>\\x0d\\x0a\\x0d\\x0a    <div class=\\x22col-md-4 col-sm-6 portal-box\\x22>\\x0d\\x0a        <a href=\\x22{client_url}login/\\x22>\\x0d\\x0a            <div class=\\x22well\\x22>\\x0d\\x0a                <i class=\\x22fa fa-cogs fa-4x\\x22></i>\\x0d\\x0a                <h4>My Account</h4>\\x0d\\x0a                <p>Log in here to manage your ac [hostname "clients.domain.com"] [uri "/staff/settings/company/plugins/manage/5/"] [unique_id "%^$%6DeSztztryrrtrggJxJwAAAM8"], referer: https://clients.domain.com/staff/settings/company/plugins/manage/5/

Looks like it is in fact a mod_security rule. You'll need to edit the file, comment out the line, and restart Apache.

Quote

[file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"]

nano -w +211 /usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

.. to go right to the line

Share this post


Link to post
Share on other sites
On 4/28/2018 at 8:25 PM, EMar said:

Thanks, I can't find /usr/local/apache/modsecurity-owasp-old/ in my Centos installation, using sftp as root.

That's weird since your error mentions the path /usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

locate injection_attacks.conf

Maybe you'll get a result? If you get a "database" error, unable to search..

yum install mlocate -y
updatedb &

And try again after a few min.

Share this post


Link to post
Share on other sites
[root@me /]# yum install mlocate -y                                                                     
Loaded plugins: fastestmirror                                                                                
Loading mirror speeds from cached hostfile                                                                   
 * base: centos.mirrors.tds.net                                                                              
 * epel: mirror.steadfast.net                                                                                
 * extras: mirrors.gigenet.com                                                                               
 * updates: centos.mirrors.tds.net                                                                           
Package mlocate-0.26-6.el7.x86_64 already installed and latest version                                       
Nothing to do 

Share this post


Link to post
Share on other sites
6 hours ago, EMar said:

I don't know where exclude rules files are.

You said you have centos panel..if you look in admin interface..under security--->mod security you will find options to enable/disable mod security..and also there will be conf files locations...if nothing is changed it should be ....

Main Configuration --> /usr/local/apache/conf.d/mod_security.conf
Rules Configuration --> /usr/local/apache/modsecurity-cwaf/cwaf.conf
Disabled Rules --> /usr/local/apache/modsecurity-cwaf/custom_user.conf

 

To edit file use command  vi /usr/local/apache/modsecurity-cwaf/custom_user.conf (to edit other file just change file location after vi) ,after that ...when file is opened click on i (short for insert) and than you can edit content,when you are done first click on ESC ..than press left shift + q ....than enter wq and hit enter .If you are not good with ssh just install WINSCP and than you can download file..edit it and upload again in one minute using GUI

 

Share this post


Link to post
Share on other sites

Ok.. I have those config files now, I can edit them in CentOS Web Panel 7.

There's no disable option for Mod Security, I uninstalled it while editing Blesta pages then installed it again.

Adding 

SecRuleRemoveById 9667848 to all 3 files

Configuration Files:
Main Configuration --> /usr/local/apache/conf.d/mod_security.conf
Rules Configuration --> /usr/local/apache/modsecurity-owasp-old/owasp.conf
Disabled Rules --> /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

I don't have a custom_user.conf

Contents of File: /usr/local/apache/conf.d/mod_security.conf

Ifjny9.jpg

 

Contents of File: /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

E9Okxc.jpg

 

Do I need to add it to /usr/local/apache/modsecurity-owasp-old/owasp.conf?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×