apache mod_security says - Access Denied error

Question

Background -

I have my website code hosted on a linux server. My website allows new registrations for employers (http://www.gymandspajobs.com/Employer/Employer.php). The filled-up forms are verified by JavaScripts in the folder "/javascript" and if the information is found ok, the data is submitted via JavaScript HTTP request object and the PHP file "somefile.php" kept in the folder "/somefolder" under the root directory does the database inserts.

Problem -

When a new user tried to register using Firefox (I tested in WinXP SP2, Firefox - v3.5.2), the HTTP response I used to get (which I tapped in my JavaScript file) was "You don't have permission to access /somefolder/somefile.php on this server." .

Surprisingly, the same functionality worked perfectly well in IE7 and Chrome.

Latest Update on the Problem -

I contacted my web hosting guys and my problem seems to have been solved after I received this reply from them.

We have disabled mod_security for your domain to fix it. We have entered the below lines to the .htaccess file under the httpdocs directory for your domain. We have also verified and successfully able to submit the Employer registration without any issues. ~~~~~ SecFilterEngine off ~~~~~

Though the problem has got solved, I think making "SecFilterEngine off" may not be the best solution to this problem as it compromises security. Hence I asked the hosting guys if there is a way to keep mod_security ON and yet get my functionality to work...... here is their reply.....

Q. is there any way my code can work yet keeping mod_security ON?

Ans. It is possible. But it is not easy. You have to modify the code in the file in such a way that the URI should not have the pattern "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" because we found this entry in the apache error logs -

mod_security-action: 403

mod_security-message: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type")

I am using the HTTP object and POST method via JavaScript as -

http.setRequestHeader('Content-Type','application/x-www-form-urlencoded')

Please guide me as to what changes do I need to do in the above line of code so that mod_security can be kept ON and yet my registration form will work?

Thanks and Regards,

-Rupak Kharvandikar-

Answer 1

I managed to create an account in Firefox without any issues.

Answer 2

In this situation the best thing to do is to threat that specific warning as a false positive because it is. Remember that mod_security doesnt support content encoding and false positives is a very normal thing when you are dealing with WAF's.

Disabling all mod_security rules just for one false positive is dumb though. Look for the id of the rule that is getting triggered and disable it "SecRuleRemoveById". In my box I created an additional config to place all the rules i want to disable.

modsecurity_crs_60_myignores.conf

SecRuleRemoveById 960903

SecRuleRemoveById 970903

SecRuleRemoveById 970902