ModSecurity and "Northwind"

Question

I've built a PHP registration system, that I've been using for a number of years.

Recently, someone was trying to register and their billing address contained the word "Northwind". This gets flagged by ModSecurity in CPanel and rejected immediately.

In the past I've addressed ModSecurity issues by encoding and decoding my larger textareas, however, it seems like a pain to do this for every field.

Does anyone have any suggestions for these outlier cases that get flagged by ModSecurity? Short of just disabling ModSecurity, which I'm not going to do.

Answer 1

I assume this rule blocked that request. You don't need to turn off the whole engine. I do not know cPanel (and its ModSecurity GUI/access), but if you can make any exceptions, try to add this one:

SecRule REQUEST_FILENAME "@streq /your/app/registration/uri.php" \
    "id:1110,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveTargetById=942140;ARGS:username_on_your_form"

You can add this exclusion into the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf. If it does not exist, just create it, and set the engine to use that. Restart your web server, and try to register with that name.

Few notes for this rule:

• the operator argument (/your/app/registration/uri.php) is the URI where the client sends the registering request, be sure that you type it correct
• at the end of the ctl action the username_on_your_form is the field that the form contains, replace the correct value

This rule makes an exclusion: if the URI is matches, the rule 942140 will not check the form field username_on_your_form.