modsecurity preventing Codeigniter fom saving the google map location url

Question

On a Apache based web server, Mod Security is enabled. Using my Codeigniter code, I am storing the url of a location from google maps. I have created a textbox in which only the url part of the embed tag is required, the iframe tag is not required because it is hard coded in the view.

Thus, I am trying to save the google map location url in mysql database through codeigniter coding. The issue is that if mod security is enabled on server, I get the following error:

Forbidden

You don't have permission to access /UpdateContact on this server.

But, If I disable mod security and then try to submit the url again, it works fine.

Please tell me how to solve this issue while keeping mod security enabled on my web server.

UPDATE

modsec_audit.log says:

Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" at ARGS:gmap. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "55"] [id "981260"] [rev "2"] [msg "SQL Hex Encoding Identified"] .... Google Map Embed url ... [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s Action: Intercepted (phase 2)

A simple solution is to remove the rule number 981260 by its ID but this will make server prone to SQL Injection Attacks.

Is there any way out?

UPDATE Issues are increasing as I am using it more.

"The BIPAP or Bi-level Positive Airway Pressure machine is a non-invasive machine that is used for people who are diagnosed with having sleep apnea where it helps them attain more air into their lungs while sleeping." and mod again block it by saying: "[id "981256"] [msg "Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections"] [data "Matched Data: having s found within ARGS:"

[id "959072"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: and 2 found within ARGS:product_metadesc: A drip stand typically is having a rolling base and 2 to 4 hooks in it to hold the bags or bottles of fluids."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

[id "973334"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: 't want to use western commode) \xe2\x80\xa2 Lid option \xe2\x80\xa2 Sturdy ( found within ARGS:descr: Toilet Converter helps in reducing the cost of installing a western commode and also saves time. It can be used anywhere on any Indian toilet. Features: \xe2\x80\xa2 Foldable (Provides convenience to other family members who don't want to use western commode) \xe2\x80\xa2 Lid option \xe2\x80\xa2 Sturdy (Additional support at the bottom to prevent falling) \xe2\x80\xa2 Rustproof (powder co..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"]

[id "950001"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: length ( found within ARGS:descr: Mackintosh sheet is a waterproof sheet made up of rubber. It provides an effective way to protect the mattress from water and other liquids while lying on a bed. It is used in hospital and home settings for the patients/ elders who are confined to bed due to any reason.\x0d\x0aFeatures:\x0d\x0a- Made up of soft rubber\x0d\x0a- Latex-free\x0d\x0a- Thin\x0d\x0a- Breathable\x0d\x0a- Washable \x0d\x0a- Available in roll length (1 meter)\x0d\x0a"] [severity "CRITICAL"]

[id "981317"] [rev "2"] [msg "SQL SELECT Statement Anomaly Detection Alert"] [data "Matched Data: Upgrade-Insecure-Requests found within TX:sqli_select_statement_count: 3"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

Pattern match "\b(?i:having)\b\s+(\d{1,10}|'[^=]{1,10}')\s*?[=<>]|(?i:\bexecute(\s{1,5}[\w\.$]{1,5}\s{0,3})?\()|\bhaving\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|(?i:\bcreate\s+?table.{0,20}?\()|(?i:\blike\W*?char\W*?\()|(?i:(?:(select(.* ..." at ARGS:fpara. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "130"] [id "959070"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: from a stroke, Parkinson\xe2\x80\x99s disease or multiple sclerosis (MS).\x0d\x0aBones, Joints and Soft Tissues: This includes conditions such as back pain, shoulder pain, neck pain, and sports injuries.\x0d\x0aLungs and Breathing: This includes chronic obstructive pulmonary disease (COPD) and cystic fibrosis.\x0d\x0aHeart and Circulation: This includes rehabilitation after a heart attack.\x0d\x0a\x0d\x0aTo help you cope with the discomfort, we offer you physiotherapy treatments that are ai..."] [s

Pattern match "(?i:(?:[\s()]case\s*?\()|(?:\)\s*?like\s*?\()|(?:having\s*?[^\s]+\s*?[^\w\s])|(?:if\s?\([\d\w]\s*?[=<>~]))" at ARGS:desc. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "217"] [id "981241"] [msg "Detects conditional SQL injection attempts"] [data "Matched Data: having fractures, found within ARGS:desc: Super Doc Health Care has a wide range of walking aids, for the patients having fractures, paralysis, knee replacement, hip replacement."] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

I have checked user input, its just normal paragraph written in english about a product. This is really bad how to get rid of it?

Answer 1

A simple solution is to remove the rule number 981260 by its ID but this will make server prone to SQL Injection Attacks.

This is not true. ModSecurity works by writing some generic rules that attempt to address attacks. There are many false positives with WAFs like ModSecurity and they must be tuned to work specifically for your site. Yes running all the alerts will make your site the most secure, but it will also break most sites, and even then a WAF is not an absolute guarantee of security anyway. You should not be afraid to tune your rules.

In this case you have a text box that takes a URL (which may well have encoded parameters) and the rule is designed to stop URL encoded arguments as they might be a sign of an attack. However we know it is expected here and so this is not a sign of an attack. Therefore you should turn this rule off for this input. If you look at the rule definition it already ignores certain arguments that are well-known to include URLs like yours and for which it's checks are going to fail (like __utm and _pk_ref), so it's perfectly acceptable (and expected!) to tune this.

You need to add the following config after the config file with rule 981260 is loaded (as SecRuleUpdateTargetById updates a previously defined rule so the rule it's updating must be defined by the time it is read):

SecRuleUpdateTargetById 981260 !ARGS:'gmap'

This will turn off this rule for this argument only, and allow this rule to continue to protect other arguments.

To be honest though, I don't find that rule that useful because you get a lot of false positives for a lot of arguments so I often turn it off completely using SecRuleRemoveById 981260. Does the mean the site is slightly less protected? Yes, but you should weigh up whether this protection is worth the hassle in supporting it and/or removing the fields and features from your site to allow you to run this rule. Security is about balance and not absolutes.

BTW the latest version of the OWASP CRS (v3) has worked on reducing the number of false positives, though it looks like this rule (which has been renumbered to 942450 in v3) is basically unchanged: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf so won't help this particular case, but you should consider upgrading.