About a week ago, one of our clients was seeing an Internal Server Error when he was trying to upload an image with a quote through the media manager. That was weird, we thought… So, we changed error reporting to maximum and we still saw the same, ambiguous, Internal Server Error – clearly something that was application-independent and consequently server-related was causing this problem. So we thought there was only one way to know what the error was: we needed to check Apache’s error logs.
Since our client was using WHM, the Apache error log file was called error_log and was located under the /usr/local/apache/logs directory. So we browsed to that directory and opened the error_log file, only to see the following error:
[Tue Sep 17 09:17:26 2013] [error] [client The Joomla website's IP] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 1, IP 0, IH 0, FL 0"] [hostname "The Joomla website's base URL"] [uri "/administrator/index.php"] [unique_id "UjhWZkPj8rEAAEzeW@8AAABA"]
Aha! It was ModSecurity that was causing this problem – so all we needed to do was to disable ModSecurity, but we didn’t want to disable it for everyone, just for our client’s IP. So, we opened up the .htaccess file located under the root directory of the website, and we added the following line to the top of the file:
SetEnvIfNoCase REMOTE_ADDR ^173\.199\.145\.150$ MODSEC_ENABLE=Off
Note: The above assumes that the IP you want to disable ModSecurity for is 173.199.145.150).
And that solved the problem – our client was able to upload files that have quotes anywhere. What’s interesting is that the above didn’t compromise any security on the server, because ModSecurity is only disabled for one IP, and not for all IPs.
Now for a quick FAQ on the above fix:
- Is the above a guaranteed fix?
No – it’s not. On a shared hosting environment it might be that your host has disabled this feature (where you can disable ModSecurity in .htaccess).
-
I am using a dedicated server, but the above is not working for me!
Double check that your IP is correct in the line above. You can check how the server sees your IP by creating a small PHP file (under the root directory of your website) called whatismyip.php with the following code:
<?php echo($_SERVER['REMOTE_ADDR']); ?>
Visiting that file will tell you what your IP is, from the server’s perspective. Note: By no means we are implying that each server sees your IP differently, but, if you are behind a proxy, or if you are on the same network of your server, then your IP might be seen differently by your server.
-
What if I want to disable ModSecurity for a whole network?
This can be done by simply adding the following line to your .htaccess file:
SetEnvIfNoCase REMOTE_ADDR ^10\.192\.* MODSEC_ENABLE=OffNote that we are assuming in the line above that the block of IPs that you want to disable ModSecurity for starts with 10.192.
-
I want to disable ModSecurity altogether, are there any security implications?
Yes there are. While some argue that ModSecurity has little use, we believe that it provides an extra level of security on the server. We highly recommend against disabling it – unless, of course, it is causing more harm than good. In that case, you will need to look at alternatives to protect your server.
-
Are there other methods to address problems caused by ModSecurity?
Yes there are – another method for addressing problems related to ModSecurity would be to modify the rule(s) causing the problem(s). Naturally, this won’t be a walk in the park – modifying ModSecurity rules require advanced knowledge with ModSecurity and Apache security. Note that if you play with ModSecurity rules you might cause serious security issues on your website – we recommend you contact some security experts to modify rules for you in case you want to go with this route.
-
What if the above doesn’t work?
If the above line doesn’t work for you (even after checking that you are allowed to disable ModSecurity and that your IP is correct), then we recommend you contact us. We are Joomla security experts and we are confident we can fix your problem. Our fees are reasonable, our work is professional, and we are super friendly! What are you waiting for? Shoot us an email or give us a call!