Atomicorp

Hi All,

I need to add an exception associated with a rule id but cannot find the whitelist file people describe on other posts.

I have tried all the usual search methods.

Can anyone assist?

--

My Issue: WHMCS Submit Support Ticket produces 500 error.

$ tail -f /var/log/httpd/ssl_error_log
[Tue Jul 23 18:20:20 2013] [error] [client x.x.x.x] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "39"] [id "200003"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "www.domain.com"] [uri "/supporttickets.php"] [unique_id "Ue7JZE1KwwUAABVnInUAAAAF"]

Solution???:

Ad an exception associated with this id.

Edit "/etc/apache2/modsecurity/conf/whitelist.conf" and add:

<LocationMatch "/supporttickets.php">
SecRuleRemoveById 200003
</LocationMatch>

Problem: I cannot locate whitelist.conf or anything like it.

My OS - CentOS 6.4

Thanks!

On CentOS 6 the Apache configuration files can be found at:
- /etc/httpd/conf/httpd.conf - main configuration file
- /etc/httpd/conf.d/ - folder with seperate configuration files for extra installed software
- perhaps other locations that are included specific for your setup (depending on the use of a control panel or other management software)

The preferred way to disable this rule is to place it inside the VirtualHost-container for the specific domain you are having trouble with. Where this configuration is located depends on your setup. If you are not using a control panel and you are not using Virtual Hosts at all, you could create your own /etc/httpd/conf.d/my_disabled_secrules file (the name is just an example) and place the SecRuleRemoveById lines there.

I doubt however that this event is actually a false positive. An explanation can be found at https://www.atomicorp.com/wiki/index.php/WAF_330792 which concerns a similar rule that is part of the Atomic Secured Linux mod_security configuration.