I need a little help with the removal or repetitive non-word characters like line breaks in a HTML textarea that cause errors in modsecurity. I'm making a simple HTML form with a textarea that visitors can fill in:
Your question:<br>
<textarea name="question" cols=100 rows=8></textarea>
Next, I'm using gen_validatorv4.js to validate the input
frmvalidator.addValidation("question","maxlen=800", "Max length is 800 characters");
The form action on submit is a script contact-form-handler.php which does the following:
$question = $_POST['question'];
My problem is that when the customer enters multiple line breaks (Enter, Return) Modsecurity returns an error that access to contact-form-handler.php is denied:
Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:bericht. [file "/usr/share/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "\x0d\x0a\x0d\x0a"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1414686989441629 117554 (- - -)
Stopwatch2: 1414686989441629 117554; combined=91683, p1=11515, p2=79432, p3=0, p4=0, p5=731, sr=815, sw=5, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache/2.2.22 (Debian)
I tried with a second (dummy) textarea that isn't even processed in the php script, nevertheless modsecurity blocks access to the script. When the multiple line breaks are removed, the form is successfully processed and sent with msmtp.
Rather than alleviating the modsecurity rules (don't know how to do that either) I feel more like removing multiple line breaks (and spaces) in the HTML contact form before it is processed by the php script. I found some guidelines to do so with the following javascript format:
txt = txt.replace(/(
|
|)/gm," ");
but I miss the knowledge to feed "question" into this command and then make it available for the php command $question = $_POST['question'];
Can anyone help?
do not try to remove the line breaks. That is a hack and does not address the problem. To address the problem you need to make custom changes to the modsecurity owasp core rules. If you do not know how to do this talk to your administrator. If you want to learn about modsecurity buy https://www.feistyduck.com/books/modsecurity-handbook/
Here is what we do for example - we change the regex from "\W{4,}" to "\W{6,}" by disabling the rule and then adding it again:
SecRuleRemoveByID 960024
SecRule ARGS "\W{6,}" "phase:2,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,block,id:'960024',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
But maybe you want to disable the rule just for this specific URL:
SecRule REQUEST_URI "@beginsWith /your/url/to/the/php/script" "phase:1,t:none,pass,id:'5000',nolog,ctl:ruleRemoveById=960024"
Hope this helps, Ronald
Thanks for your reply. I followed your advice by creating a new file modsecurity_crs_60_customrules.conf, added SecRuleRemoveByID 960024, copied the original SecRule ARGS "\W{4,}"............ from modsecurity_crs_41_sql_injection_attacks.conf into it and then changed the 4 into a 6. Your SecRule did not work, probably it is from another rules set version.
This works for two sequential line breaks. For three breaks in a row I"ll get the same old error 403. So I do hope visitors take care of their layout when entering a question.