I have a PHP application where a form has HTML textarea tag to collect multiline text. One of our client was having trouble posting, and we couldn't recreate the issue until we tried the exact text.
After much checking I found the following in modsec_audit.log:
ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\\\\\\\n|\\\\\\\\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\\\\\s+" at MATCHED_VAR. [file "/var/cpanel/cwaf/rules/12_HTTP_Protocol.conf"] [line "137"]
Basically the client tried to input a multiline text where first word was "Delete" in a line. So basically I guess having \r\nDelete in the POST data triggered the pattern match.
Now I assume the rule is important for security, as those command keywords in the matching criteria could do harm if unchecked, but at the same time it's not feasible to ask client that hey do not start the line with these and these words, so how to handle the situation?
