Forbidden error with some links

Briago · Post by **Briago** » Fri Dec 17, 2010 1:48 am

Most of my ZM site works fine. However, some links result in a "Forbidden" error page when clicked. For example, if I click on one of the camera's "day" links to view the events of the day.

I think I've narrowed the issue down to being related to the length of the path used to display the page. I've found that each page that I get forbidden on have really long paths.

Does anyone else have this issue, and is there a setting in Apache or somewhere else that I need to check?

Example failure path:
http://www.[terms][0][attr]=Archived&filter[terms][0][op]=%3D&filter[terms][0][val]=0&filter[terms][1][cnj]=and&filter[terms][1][attr]=DateTime&filter[terms][1][op]=%3E%3D&filter[terms][1][val]=-1+day&filter[terms][2][cnj]=and&filter[terms][2][attr]=MonitorId&filter[terms][2][op]=%3D&filter[terms][2][val]=2

Example working path:
http://www.[terms][0][attr]=MonitorId&filter[terms][0][op]=%3D&filter[terms][0][val]=2

This really doesn't seem like that long of a path in the grand scheme of things, but the path length does seem to be consistent with the error.

The errors are consistent with different browsers (IE versus Firefox on the same machine).

Briago · Post by **Briago** » Sun Dec 19, 2010 5:54 pm

Does anyone have any idea of something to check to try to better define the issue?

I did find that the modsec_audit.log does update when I get the error. Unfortunately I don't understand this log and it is a lot of information for each entry (apparently). If anyone can help me understand what may be happening, please let me know. Or if you can even suggest something else to look for.

Note: This originally only happened with some pages. But after performing some updates, it has extended to more pages including clicking the tab on the camera configuration page.

Sorry for the long post below:

--119e0e4f-A--

[19/Dec/2010:12:49:30 --0500] TQ5Fqn8AAAEAAA4IeQgAAAAE <WAN> 51620 192.168.0.2 80
--119e0e4f-B--
POST /zm/index.php HTTP/1.1
Host: www.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.
Cookie: zmMontageLayout=montage_2wide.css; zmBandwidth=high; replayMode=all; zmSkin=classic; ZMSESSID=s73gsfkctvn34ntksmcr4ajji6
Content-Type: application/x-www-form-urlencoded
Content-Length: 1270

--119e0e4f-C--
view=monitor&tab=source&action=&mid=5&newMonitor%5BLinkedMonitors%5D=&origMethod=v4l2&newMonitor%5BDevice%5D=%2Fdev%2Fvideo2&newMonitor%5BChannel%5D=0&newMonitor%5BFormat%5D=45056&newMonitor%5BProtocol%5D=&newMonitor%5BHost%5D=&newMonitor%5BPort%5D=80&newMonitor%5BMethod%5D=v4l2&newMonitor%5BPath%5D=&newMonitor%5BPalette%5D=1329743698&newMonitor%5BWidth%5D=640&newMonitor%5BHeight%5D=480&newMonitor%5BOrientation%5D=0&newMonitor%5BLabelFormat%5D=%25N+-+%25y%2F%25m%2F%25d+%25H%3A%25M%3A%25S&newMonitor%5BLabelX%5D=0&newMonitor%5BLabelY%5D=0&newMonitor%5BImageBufferCount%5D=50&newMonitor%5BWarmupCount%5D=25&newMonitor%5BPreEventCount%5D=50&newMonitor%5BPostEventCount%5D=120&newMonitor%5BStreamReplayBuffer%5D=20&newMonitor%5BAlarmFrameCount%5D=12&newMonitor%5BEventPrefix%5D=Event-&newMonitor%5BSectionLength%5D=3600&newMonitor%5BFrameSkip%5D=0&newMonitor%5BFPSReportInterval%5D=1000&newMonitor%5BDefaultView%5D=Events&newMonitor%5BDefaultRate%5D=100&newMonitor%5BDefaultScale%5D=100&newMonitor%5BWebColour%5D=red&newMonitor%5BSignalCheckColour%5D=%230100BE&newMonitor%5BName%5D=Play_Area&newMonitor%5BType%5D=Local&newMonitor%5BFunction%5D=Mocord&newMonitor%5BEnabled%5D=1&newMonitor%5BMaxFPS%5D=0.50&newMonitor%5BAlarmMaxFPS%5D=15.00&newMonitor%5BRefBlendPerc%5D=5
--119e0e4f-F--
HTTP/1.1 403 Forbidden
Content-Length: 295
Connection: close
Content-Type: text/html; charset=iso-8859-1

--119e0e4f-H--
Message: Pattern match "^([^;\s]+)" at REQUEST_HEADERS:Content-Type. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] [line "63"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/x-www-form-urlencoded"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
Message: Pattern match "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<a>\|])(\s*return\s*)?(?:globalstorage|sessionstorage|postmessage|callee|constructor|content|domain|prototype|try|catch|top|call|apply|url|function|object|array|string|math|if|elseif|case|switch|regex|boolean|l ..." at ARGS_NAMES:newMonitor[Function]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "66"] [id "900020"] [msg "Detects JavaScript language constructs"] [data "[function]"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match "(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:newMonitor[Device]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "86"] [id "900011"] [msg "Detects specific directory and path traversal"] [data "/dev/"] [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Pattern match "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<a>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|inner ..." at ARGS_NAMES:newMonitor[Protocol]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "191"] [id "900017"] [msg "Detects JavaScript object properties and methods"] [data "[protocol]"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<a>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|inner ..." at ARGS_NAMES:newMonitor[Port]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "191"] [id "900017"] [msg "Detects JavaScript object properties and methods"] [data "[port]"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<a>\|])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|inner ..." at ARGS_NAMES:newMonitor[Name]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "191"] [id "900017"] [msg "Detects JavaScript object properties and methods"] [data "[name]"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]
Message: Pattern match "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" at ARGS_NAMES:newMonitor[Name]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "311"] [id "90004"] [msg "Detects url-, name-, JSON, and referrer-contained payload attacks"] [data "[name]"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"]
Message: Access denied with code 403 (phase 2). [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 26): 90004-Detects url-, name-, JSON, and referrer-contained payload attacks"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1292780970265067 55360 (1812* 54944 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5.
Server: Apache/2.2.15 (Fedora)

--119e0e4f-Z--

-----EDIT----------
After using google a bit more, people advise to comment out the modsec rule that is triggering the failure. So I did this for line 25 of 49_enforcement, at least for testing. This fixed my issue for all the pages on the site. So this is a mod_security issue.

However, I'm sure all of you have mod_security on your machines as well. Why am I getting these errors? Did you have to modify your modsec rules? I would think that just commenting out lines that gives errors would be dangerous for security...

Briago · Post by **Briago** » Tue Dec 28, 2010 7:42 pm

My last post was long...

Are there any mod_security rules that need to be modified for zoneminder to work properly?

I haven't found anything in the documentation, the forum, or in google. But I am clearly getting errors from my default fedora installation settings for apache/mod_security.

Any guidance would be appreciated.