mod_security never tells what the problem is

Question

Normally I would just pester my provider to disable the rule. And while he certainly deserves pestering, I've done that way too often already for the low service price.

(Like always this is about a mod_security rule that's just a blacklisting entry for some obscure bug in Wordpress or Drupal from 5 years ago. While I'm not using that, I still pay the price for errors in someone elses code...)

Anyway. Usually mod_security is easy to foil in such cases. I've been trying to rename my form fields to work around it. But this time it doesn't seem to help. This is the offending rule (which I can make no sense of):

# Rule 340147: Generic XSS filter
SecRule REQUEST_URI "!(/mt\.cgi|^/node/[0-9]+/webform/components/|/node/[0-9]+/edit|/wizard/edit/html|^/\?q=node/[0-9]+/edit/|/node/add/main|sitebuilder/createproject|/admin/\?page=spageedit)" \
         "t:none,t:urlDecodeUni,t:replaceComments,t:replaceNulls,t:htmlEntityDecode,t:lowercase,t:compressWhitespace,capture,id:340147,rev:81,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Generic XSS filter',chain,logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|ARGS_NAMES|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:Right_photo_1|!ARGS:/^K2ExtraField/|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:_qf_Group_next|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:resolution|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:embeddump|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:/^field_id/|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:/desc/|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/ "(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|\" ?> ?<|\" ?[a-z]+ ?<.*>|> ?\"? ?(>|<)|< ?/?i?frame|\%env)"

That's the error.log entry:
[Tue Mar 29 14:28:52 2011] [error] [client 000.000.000.000] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^(submit\\\\+>>|>>)$)" against "ARGS:pub_lish2" required. [file "/etc/apache2/modsec2/10_asl_rules.conf"] [line "962"] [id "340147"] [rev "108"] [msg "Atomicorp.com WAF Rules: Generic XSS filter"] [data "848"] [severity "CRITICAL"] [hostname "hahaha.not-telling-you.org"] [uri "/index.php"] [unique_id "TZHQhE6KWTMAAFkDGf0AAAAG"]

These are the form fields used:

    <form action="index.php" method="POST" enctype="multipart/form-data" accept-encoding="UTF-8">
    <input type="hidden" name="pub_lish2" value="1">
    <input type="hidden" name="e" value="2">
    <textarea name="question">
       &lt;tt&gt;...&lt;/tt&gt;
       &lt;h2&gt;...&lt;/h2&gt;
       &lt;p&gt;...&lt;/p&gt;
       &lt;span class=&quot;tag&quot;&gt;details&lt;/span&gt;
    </textarea>
    <!--div id="captcha" class="captcha">
        <input type="hidden" id="__ec_i" name="__ec_i" value="ec.1301402534.e6dcf57012b4410395621d0b6851f0a2" />
        <input type="text" name="__ec_s" value="">
    </div-->
    <input type="submit" value="Post Your Thingy">
    </form>

It's not the captcha fields, so I commented them out. The textarea contains html, but nothing suspicious. I've renamed the submit field quite a few times, and e= is just an id field.

Can anyone make sense of the mod_security message? I don't understand its silly demands.

Answer 1

For me, this rule was triggering when someone submitted a form with a less-than, greater-than sign with no characters in between, so: '><'

It looks like your form is built in with those pre-entered into the form:

Note that whitespace doesn't fix this.

Answer 2

The rule is complaining about argument 'pub_lish2' NOT matching a specific regex ((^(submit\\+>>|>>)$)) on reception (RX) by index.php.

As near as I can tell, they've introduced a whole bunch of individual exceptions to the rule that you could avail yourself of for testing, so reading the rules supplied, they match every URL that isn't specifically a form endpoint, then provide a huge list of exceptions. I'd suggest that they're attempting to remove extraneous form-based XSS, just extremely badly.

You can probably produce a fairly easy test by changing that particular field to one of the exclusions, so, picking one at random;

busymess

Then seeing what happens on a submit. If they allow you, you can ask for the pub_lish2 'target' to be added to the exclusion list.