Need ModSecurity Ticket Resolved!!!!

[milehigh]

Ticket Number JH #AGR-80563-808

If I'm the only one having these issues than I guess I'll just shut up and switch hosts after 2+ years. None of these issues existed before the upgrade and I've been running CMS's on my sites for quite some time.

I can't do many admin functions within my CMS with ModSecurity rules filtering a lot of what I do

One of my site owners gets a 403 Forbidden just accessing the home page.

mod_security: Access denied with code 403. Error parsing cookies: Error normalising cookie value: Invalid character detected [0] [severity "EMERGENCY"]

You guys replied on 3/3 with:
mod_security exclusion rule created. Please check.

He just called me saying that he is still getting 403/forbidden on his home page. I checked the error log and the same messages are appearing.
Needless to say he is not happy with me at this point.

[Fri Mar 6 11:24:31 2009] [error] [client 64.27.236.96] mod_security: Access denied with code 403. Error parsing cookies: Error normalising cookie value: Invalid character detected [0] [severity "EMERGENCY"] [hostname "www.sigossip.com"] [uri "/"] [unique_id "SbFOP0BH6-sAABBnPHM"]
[Fri Mar 6 11:24:31 2009] [error] [client 64.27.236.96] mod_security: Access denied with code 403. Error parsing cookies: Error normalising cookie value: Invalid character detected [0] [severity "EMERGENCY"] [hostname "www.sigossip.com"] [uri "/"] [unique_id "SbFOP0BH6-sAAFTII9Y"]

The other exceptions you guys replied to are not working either as I still cannot do some admin functions.

 

[praveen]

We have updated the ticket. Please check it.

 

[cnisvcs]

I would like to back up Milehigh, who is not the only one slammed by ModSecurity restrictions preventing from using basic CMS features. I have a ticket opened for a little while already and we go back and forth with the support person: I send info what errors I am getting, he makes the rule exclusion, I test it and send next batch of errors, and so on, and so forth...

In my post within Cluster 1 Postupgrade Master Thread I asked for a systemwide solution for this issue. My question remains unanswered. I would like to repeat my query: Is it possible to turn off ModSecurity for all scripts in a specified folder? That would solve the issue for us.

Thank you for your ongoing support and efforts in alleviating the negative impact of the recent upgrade on some of us. It seems that the particular issue with ModSecurity blocking CMS fetaures simply calls for a better, general solution.

 

[Stephen]

I would like to back up Milehigh, who is not the only one slammed by ModSecurity restrictions preventing from using basic CMS features. I have a ticket opened for a little while already and we go back and forth with the support person: I send info what errors I am getting, he makes the rule exclusion, I test it and send next batch of errors, and so on, and so forth...

In my post within Cluster 1 Postupgrade Master Thread I asked for a systemwide solution for this issue. My question remains unanswered. I would like to repeat my query: Is it possible to turn off ModSecurity for all scripts in a specified folder? That would solve the issue for us.

Thank you for your ongoing support and efforts in alleviating the negative impact of the recent upgrade on some of us. It seems that the particular issue with ModSecurity blocking CMS fetaures simply calls for a better, general solution.

No it is not possible, there are spiders slamming the servers with exploit, defacing, and ddos script right now in a way I haven't seen since the major SQL injection defacements. We are fighting this much behind the scene but it is extreme.

 

[cnisvcs]

Fair enough. Thank you for your answer.

 

[WebFire]

Having issues with mod_security as well. Cannot install a new Wordpress and a client having issues running ExpressEngine.

 

[Mark65]

This recently started happening to us too with new CMS installs.

From the above posts I understand that support may be able to do exclusions on certain folders or how does this work? Does it have to be done manually for each affected domain?

Thanks.

 

[tanmaya]

Mark65, can you please point me to any of your resolved ticket that took care of the issue. I'll get the necessary rule replicated across all webservers. We already have a mod_security rule merge planned that is a periodic activity to avoid such problem.

 

[Mark65]

Mark65, can you please point me to any of your resolved ticket that took care of the issue. I'll get the necessary rule replicated across all webservers. We already have a mod_security rule merge planned that is a periodic activity to avoid such problem.

BJK-38002-746 was resolved.

Thank you.

 

[Bunchadogs]

Mark65, can you please point me to any of your resolved ticket that took care of the issue. I'll get the necessary rule replicated across all webservers. We already have a mod_security rule merge planned that is a periodic activity to avoid such problem.

When will this be happening? I need to get several domains fixed, and seems to be all related to a rule with ID 960010. Does it need to be done on a LocationMatch type situation, or will it be the entire rule?

Thanks!

 

[tanmaya]

It should be done in next 48 hours.