Support

Home Forums Event Espresso Premium Apache ModSecurity: Access denied on booking form submission

Apache ModSecurity: Access denied on booking form submission

Posted: October 31, 2014 at 8:28 pm

Viewing 6 reply threads


River Satya

October 31, 2014 at 8:28 pm

It appears that our hosting company just changed their apache security rules, and now EE4 is violating one of them:

[Fri Oct 31 15:33:16 2014] [error] [client 49.183.57.53] ModSecurity: Access denied with code 418 (phase 2). Matched phrase “message” at ARGS:tkt-slctr-event-660. [file “/dh/apache2/template/etc/mod_sec2/99_dreamhost_rules.conf”] [line “253”] [id “1990070”] [hostname “www.dancingground.org”] [uri “/events/dancing-ground-festival-gembrook-2015/”] [unique_id “VFQOK9BxxAkAAFnTqL0AAAAB”]

The line in question in 99_dreamhost_rules.conf is:
#Web Shell Command Blocking
SecRule ARGS “@pm urlencode curl_init preg_ wget GLOBALS base64_decode passwd ,amo! WQGP from message” “t:base64decode,log,deny,id:1990070”

I’m not familiar with the format of this file. I’m assuming at this point that their rule is sane and that they won’t want to change it (as it presumably patches a vulnerability).

Any advice on how we can avoid this? It’s made our live booking form unusable.

Thanks!


Tony

  • Support Staff

November 1, 2014 at 7:52 am

I looks like Bluehost are blocking base64 encoded urls.

We encode our urls for various reasons, one of which is security. There are valid reasons for not allowing base64decode however there is also valid reasons to encode the urls (and therefore need to decode)

I would recommend contacting Bluehost and asking them to exclude your site from this rule.


River Satya

November 7, 2014 at 7:44 pm

Hi Tony,

I managed to get it working by disabling this rule in the .htaccess file. This seems less than ideal though, as I can see valid security reasons for wanting to prevent this.

Can you please explain why ee4 uses base64 encoding of the URLs. I can’t see any way in which this makes things more secure (or even more convenient).

Thanks!

River


Lorenzo Orlando Caum

  • Support Staff

November 7, 2014 at 7:55 pm

Hi River,

We have followed up with our lead developer on this and it was also done for optimization.

The ticket selector pulls a lot of details from the database for events, datetimes, tickets, etc and generates objects out of all of those things. That’s a fair amount of processing and time. All of those objects get used on the next request when the chosen Ticket Selector option gets translated to an item added to the cart.

Base64 allows this information to be available for decoding instead of be continuously queried against the database.

Thanks!


Lorenzo


River Satya

November 7, 2014 at 8:00 pm

Okay, thanks for the explanation! It may be worth thinking about whether there are better ways to achieve this, assuming that dreamhost is not the only hosting company that are clamping down on base64 encoding in urls. Perhaps switching to a post request would do? Thanks for the support.


Lorenzo Orlando Caum

  • Support Staff

November 7, 2014 at 8:05 pm

Hi River, yes we are aware of that concern. The development team is evaluating options for handling this efficiently in another way.


Lorenzo


River Satya

November 7, 2014 at 8:08 pm

Ok great, thanks for letting me know :).

Viewing 6 reply threads

The support post ‘Apache ModSecurity: Access denied on booking form submission’ is closed to new replies.

Have a question about this support post? Create a new support post in our support forums and include a link to this existing support post so we can help you.

Event Espresso