Mod Security Causing ADMIN-AJAX.PHP 403 Errors

harvey · May 5, 2020, 4:49am

Hi, I started getting 403 errors from admin-ajax.php, and I traced it down to Mod Security. When I disable mod security, the error goes away.

I installed the OWASP rules pack.

Are the any specific rules I need to use to prevent this?

Thanks!

harvey · May 5, 2020, 5:05am

I just noticed that Cyberpanel doesn’t include the OWASP WordPress rules that were added in v3.0 as found here:

github.com

SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

# These exclusions remedy false positives in a default WordPress install.
# The exclusions are only active if crs_exclusions_wordpress=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.
#
# Note that the WordPress comment field itself is currently NOT excluded
# from checking. The reason is that malicious content is regularly being
# posted to WordPress comment forms, and there have been various cases
# of XSS and even RCE vulnerabilities exploited by WordPress comments.

SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
	"id:9002000,\

This file has been truncated. show original

Is there a reason these rules weren’t added? Can I add them manually, or willl you add them in an update?

Thanks!

harvey · May 5, 2020, 4:41pm

Thank you. If I want to add the WordPress rules I linked to above, where should I put the file?

harvey · May 8, 2020, 5:33am

Thanks I’ll try it

opencode · May 16, 2020, 10:00am

@harvey any progress with modsecurity and 403

harvey · May 17, 2020, 3:50am

@opencode Nothing yet, still looking into it. I’ll update here if I make any progress

inside83 · June 29, 2020, 3:13am

@harvey any update?

harvey · July 2, 2020, 9:33pm

@inside83 I tried playing around with it for a while, even enabling the WordPress rules pack, but I was never able to get it to work correctly. Also, I wasn’t really able to understand the logs to see which rules were triggered so I can disable them. For now I turned off ModSec.

TonyM · October 27, 2022, 1:45pm

Solution:

Go to: Cyber Panel → Security → ModSecurity Rules

Then paste this rules:

<locationmatch "/wp-admin/admin-ajax.php">
    SecRuleRemoveById 300013
    SecRuleRemoveById 300015
    SecRuleRemoveById 300016
    SecRuleRemoveById 300017
    SecRuleRemoveById 949110
    SecRuleRemoveById 980130
</locationmatch>

Save! That’s all.