Problems with ModSecurity
Problems with ModSecurity
I've recently started getting problems when using DataTables on sites protected by ModSecurity. In particular I have found that ModSecurity rules 981245, 981257, 981246 and 981243 can get triggered. Whitelisting these rules allows DataTables to work again. I should say now that I am using an old version of DataTables (1.8.3dev) and extensions. I intend to upgrade to the latest version but before I do so I wonder whether the problems are circumvented in the latest version?
An example of the problems I am seeing is that I get the following ModSecurity log entry:
Rule 981257
Description:
Access denied with redirection to http://www.test_site.com/ using status 302 (phase 2).
Justification:
Pattern match "(?i:(?:,.*?[)\\da-f\"'`][\"'`](?:[\"'`].*?[\"'`]|\\Z|[^\"'`]+))|(?:\\Wselect.+\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\s*?\\(\\s*?space\\s*?\\())" at REQUEST_COOKIES:SpryMedia_DataTables_users_table_edit_users.php.
The cookie in question looks like this:
SpryMedia_DataTables_users_table_edit_users.php=%7B%22iCreate%22%3A1425198415552%2C%22iStart%22%3A0%2C%22iEnd%22%3A0%2C%22iLength%22%3A25%2C%22sFilter%22%3A%22%22%2C%22sFilterEsc%22%3Atrue%2C%22aaSorting%22%3A%5B%20%5B0%2C%22asc%22%5D%5D%2C%22aaSearchCols%22%3A%5B%20%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%2C%5B%22%22%2Ctrue%5D%5D%2C%22abVisCols%22%3A%5B%20true%2Ctrue%2Ctrue%2Ctrue%5D%7D
My guess is that the 'create' in the cookie is causing the problem. I don't know whether these are new ModSecurity rules that have just been introduced. I've been using this version of DataTables in this way for the last three years and only come up against this problem in the last few weeks.
Campbell
Replies
What version of CRS are you using? I found this discussion about false positives which might be of some interest.
Also, you might want to consider updating to DataTables 1.10 which uses
localStorage
for state saving information rather than cookies - so this problem would just disappear with that update :-)Allan
Many thanks for the response. Yes, I'm in the process of upgrading to 1.10 and have noticed that the cookie isn't generated, so presumably the problem will go away. I haven't been able to reproduce the problem yet myself, but it has been reported on a couple of sites and I'll ask them to re-test once I've completed the upgrade.
As a matter of interest, what do you do if the browser doesn't support
localStorage
? Do you fall back to cookies? In practice I think it's not going to be a problem as I see thatlocalStorage
has been supported pretty well for a while now.Thanks too for the link about CRS. I'll pass that on to the affected sites.
Campbell
No - in this case state saving just don't work. You could provide a custom state save / load handler that would fallback, but I didn't want to keep about 4KiB of code to support state saving in IE6-7 in the core. Indeed the next major version is going to drop explicit support for IE6-7 completely (if it works, great, if not... :-) ).
Allan
OK, that's fine. No problem.
Thanks again for all your help.
Campbell