modsec rule triggered but not showing 403

hd-sam

Active Member
#1
I have an issue where a modsec rule is triggered but it is not sending the user to the 403 page.

It keeps the user on the same page and shows the page as requested.
For example, If I trigger modsec by typing in:


www.yourdomain.com/?<script>alert(1)</script>

The server error log shows:
Code:
2013-09-07 02:43:06.890 [NOTICE] [IPREDACTED:55860-0#APVH_redacteddomain.com] mod_security rule triggered! 
[Sat Sep  7 02:43:06 2013] [error] [client IPREDACTED] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_HEADERS:Referer' '!(clientscript/yui/connection/javascript\:false$)']
 [ID: 340003] [Msg: Atomicorp.com WAF Rules: XSS attack in request headers]2013-09-07 02:43:06.890 [NOTICE] [IPREDACTED:55860-0#APVH_redacteddomain.com] Content len: 0, Request line: 'GET /a/img/?image=520256e32e5f881be1c06.jpg&id=23 HTTP/1.1'
2013-09-07 02:43:06.890 [INFO] [IPREDACTED:55860-0#APVH_redacteddomain.com] Cookie len: 728, __utma=144074919.161903994.1378026335.1378532921.1378539082.5; __utmz=144074919.1378026335.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-10049247-1378026334968; utag_main=_st:1378541590120$ses_id:1378539788616%3Bexp-session; bb_lastvisit=1378245702; bb_lastactivity=0; bb_; bb_thread_lastview=91f3ccb24e1ded483a614104c1e4550e0307485da-1-%7Bi-121862_i-1378523582_%7D; bb_np_notices_displayed=2; __utmc=144074919; PHPSESSID=2236074a8ff1b46f2578fb0b0c91395d; s_sess=%20s_ppv%3D100%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B; bb_cpsession=8a78e2f10a99f87a0b60ca4db4858821; bb_userid=553; bb_password=734fa0d5a0ba61fa3a4e59184f575f44; __utmb=144074919.17.10.1378539082
2013-09-07 02:43:06.892 [NOTICE] [IPREDACTED:55861-0#APVH_redacteddomain.com] mod_security rule triggered! 
[Sat Sep  7 02:43:06 2013] [error] [client IPREDACTED] ModSecurity: Access denied with code 403, [Rule: 'REQUEST_HEADERS:Referer' '!(clientscript/yui/connection/javascript\:false$)']
 [ID: 340003] [Msg: Atomicorp.com WAF Rules: XSS attack in request headers]2013-09-07 02:43:06.892 [NOTICE] [IPREDACTED:55861-0#APVH_redacteddomain.com] Content len: 0, Request line: 'GET /a/img/?image=5228ed033ed49841ab88f.jpg&id=72 HTTP/1.1'
However the page still renders for the user and it does not say forbidden or send them to the 403 page.

This is a cPanel server with LSWS
 
Top