Jump to content

Forbidden You don't have permission to access /staff/settings/company/plugins/manage/5/ on this server.


EMar

Recommended Posts

Hmm I was trying to edit the portal module text and after saving got this

Forbidden You don't have permission to access /staff/settings/company/plugins/manage/5/ on this server.

Would it have anything to do with mod security which I enabled the other day on CentOs Panel?

Link to comment
Share on other sites

For some reason I created two staff members, but with the same info,

Each assigned to a different department, billing and support.

I've ticked every box at System > Staff > Staff Groups, for both users, but still can't edit that portal module.

EDIT

Actually I disable mod_security in the server and was able to edit the portal module.
So any idea how to fix this when mod_security is enabled?

Link to comment
Share on other sites

You need to look at the relevant log. There may be a specific mod_sec log or in your Apache etc log.

In there it will list what caused mod_sec to kick in. There will be an ID of the mod_sec rule that caused the false positive.

Disable that ID.

Link to comment
Share on other sites

I logged into CentOS Control Panel 7 and clicked Mod Security under the Security tab.

Last 20 Lines matching ModSecurity from Error log file: /usr/local/apache/logs/error_log

[Tue Apr 24 01:08:09.218692 2018] [:error] [pid 255567:tid 1402356545764868i24] [client 11.110.113.232:63250] [client 11.110.113.232] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\\\s*?\\\\(\\\\s*?select)|(?:\\\\d+\\\\s*?(x?or|div|like|between|and)\\\\s*?\\\\d+\\\\s*?[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*?(?:drop|alter))|(?:(?:;|#|--)\\\\s*?(?:update|i ..." at ARGS:content. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"] [id "9667848"] [msg "Detects chained SQL injection attempts 1/2"] [data "Matched Data: div class=\\x22 found within ARGS:content:     <div class=\\x22col-md-12\\x22>\\x0d\\x0a        <div class=\\x22thanks\\x22>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a</div>\\x0d\\x0a    </div>\\x0d\\x0a\\x0d\\x0a    <div class=\\x22col-md-4 col-sm-6 portal-box\\x22>\\x0d\\x0a        <a href=\\x22{client_url}login/\\x22>\\x0d\\x0a            <div class=\\x22well\\x22>\\x0d\\x0a                <i class=\\x22fa fa-cogs fa-4x\\x22></i>\\x0d\\x0a                <h4>My Account</h4>\\x0d\\x0a                <p>Log in here to manage your ac [hostname "clients.domain.com"] [uri "/staff/settings/company/plugins/manage/5/"] [unique_id "%^$%6DeSztztryrrtrggJxJwAAAM8"], referer: https://clients.domain.com/staff/settings/company/plugins/manage/5/
Link to comment
Share on other sites

16 hours ago, EMar said:

I logged into CentOS Control Panel 7 and clicked Mod Security under the Security tab.

Last 20 Lines matching ModSecurity from Error log file: /usr/local/apache/logs/error_log


[Tue Apr 24 01:08:09.218692 2018] [:error] [pid 255567:tid 1402356545764868i24] [client 11.110.113.232:63250] [client 11.110.113.232] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\\\s*?\\\\(\\\\s*?select)|(?:\\\\d+\\\\s*?(x?or|div|like|between|and)\\\\s*?\\\\d+\\\\s*?[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*?(?:drop|alter))|(?:(?:;|#|--)\\\\s*?(?:update|i ..." at ARGS:content. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"] [id "9667848"] [msg "Detects chained SQL injection attempts 1/2"] [data "Matched Data: div class=\\x22 found within ARGS:content:     <div class=\\x22col-md-12\\x22>\\x0d\\x0a        <div class=\\x22thanks\\x22>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a</div>\\x0d\\x0a    </div>\\x0d\\x0a\\x0d\\x0a    <div class=\\x22col-md-4 col-sm-6 portal-box\\x22>\\x0d\\x0a        <a href=\\x22{client_url}login/\\x22>\\x0d\\x0a            <div class=\\x22well\\x22>\\x0d\\x0a                <i class=\\x22fa fa-cogs fa-4x\\x22></i>\\x0d\\x0a                <h4>My Account</h4>\\x0d\\x0a                <p>Log in here to manage your ac [hostname "clients.domain.com"] [uri "/staff/settings/company/plugins/manage/5/"] [unique_id "%^$%6DeSztztryrrtrggJxJwAAAM8"], referer: https://clients.domain.com/staff/settings/company/plugins/manage/5/

Looks like it is in fact a mod_security rule. You'll need to edit the file, comment out the line, and restart Apache.

Quote

[file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"]

nano -w +211 /usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

.. to go right to the line

Link to comment
Share on other sites

On 4/28/2018 at 8:25 PM, EMar said:

Thanks, I can't find /usr/local/apache/modsecurity-owasp-old/ in my Centos installation, using sftp as root.

That's weird since your error mentions the path /usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

locate injection_attacks.conf

Maybe you'll get a result? If you get a "database" error, unable to search..

yum install mlocate -y
updatedb &

And try again after a few min.

Link to comment
Share on other sites

[root@me /]# yum install mlocate -y                                                                     
Loaded plugins: fastestmirror                                                                                
Loading mirror speeds from cached hostfile                                                                   
 * base: centos.mirrors.tds.net                                                                              
 * epel: mirror.steadfast.net                                                                                
 * extras: mirrors.gigenet.com                                                                               
 * updates: centos.mirrors.tds.net                                                                           
Package mlocate-0.26-6.el7.x86_64 already installed and latest version                                       
Nothing to do 
Link to comment
Share on other sites

6 hours ago, EMar said:

I don't know where exclude rules files are.

You said you have centos panel..if you look in admin interface..under security--->mod security you will find options to enable/disable mod security..and also there will be conf files locations...if nothing is changed it should be ....

Main Configuration --> /usr/local/apache/conf.d/mod_security.conf
Rules Configuration --> /usr/local/apache/modsecurity-cwaf/cwaf.conf
Disabled Rules --> /usr/local/apache/modsecurity-cwaf/custom_user.conf

 

To edit file use command  vi /usr/local/apache/modsecurity-cwaf/custom_user.conf (to edit other file just change file location after vi) ,after that ...when file is opened click on i (short for insert) and than you can edit content,when you are done first click on ESC ..than press left shift + q ....than enter wq and hit enter .If you are not good with ssh just install WINSCP and than you can download file..edit it and upload again in one minute using GUI

 

Link to comment
Share on other sites

  • 2 weeks later...

Ok.. I have those config files now, I can edit them in CentOS Web Panel 7.

There's no disable option for Mod Security, I uninstalled it while editing Blesta pages then installed it again.

Adding 

SecRuleRemoveById 9667848 to all 3 files

Configuration Files:
Main Configuration --> /usr/local/apache/conf.d/mod_security.conf
Rules Configuration --> /usr/local/apache/modsecurity-owasp-old/owasp.conf
Disabled Rules --> /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

I don't have a custom_user.conf

Contents of File: /usr/local/apache/conf.d/mod_security.conf

Ifjny9.jpg

 

Contents of File: /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

E9Okxc.jpg

 

Do I need to add it to /usr/local/apache/modsecurity-owasp-old/owasp.conf?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...