Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Error 406 Not Acceptable [Info] Rate Topic   - - - - -

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 28 September 2007 - 01:59 PM #1

I have a feeling some of you will soon be seeing this error (especially those hosted on cPanel based servers).

You may not know this but, cPanel is 'Finally' compatible with Apache2 & 2.2 in it's 'Current' release tree. Many hosts will be making this upgrade in the coming days/weeks/months to take advantage of better performance/features. Out of these host's upgrading Apache; most also use mod_security and that will also need upgraded to v2+ to be compatible with Apache2.

This is where there may be a conflict with some CS-Cart (and Joomla) client sites because some default mod_security2 rules seem to block some of what you need to do when managing your site.

The following default rules seem to conflict with some administration tasks and may return the Error 406 'Not Acceptable' message instead of what you were expecting.

# Check decodings
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
	"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"


Below is the message your host will see in their logs when this happens
Access denied with code 406 (phase 2). Pattern match "\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:lang_data[0][value]. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]

I upgraded one of our cPanel machines to Apache 2.2.6 yesterday and see many of these exact errors on both CS-Cart and Joomla client sites this morning. If you get this 406 error while doing normal administration tasks, you should contact your host and see if they will remove the above rules from thier mod_security ruleset.

Most hosts also add many custom rules to mod_security in addition to the default and some of these may also return a similar error.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 02 October 2007 - 06:40 PM #2

Here is another default mod_security rule that causes problems with the html catalog and it's images.

This one is worse because, if the host uses CSF/LFD in conjunction with mod_security (common) it will block your visitors from the server just for visiting your catalog pages.


SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"


Log Output

Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:Referer. [id "950006"] [msg "System Command Injection. Matched signature </echo->"] [severity "CRITICAL"]


Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]

 
  • roban
  • Senior Member
  • Moderators
  • Join Date: 23-Oct 06
  • 1132 posts

Posted 02 October 2007 - 09:02 PM #3

Thanks Scott. We've alreadt seen some problems with my site hosted on your servers which you were able to overcome in rapid time. The other error was the turning off of https without user input. I would turn it on and it would turn off. You seem to have resolved that issue as well.

I wonder if the developers are aware of these issues. If not, it would be a good idea to give them a heads up.

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 02 October 2007 - 09:26 PM #4

The issue with SSL is a bug in the current cPanel/EA3 release and is expected to be resolved very soon in the next update. At least they have posted a manual workaround to use prior to that which I have applied to your server.

The problems posted above are potentially serious though because these intrusion detection rules are within the default ruleset of mod_security v2+.

Most experienced hosts will create their own ruleset tailored to the specific requirements of their servers. The problems is, those currently making this new upgrade to Apache2 will have to first learn the newer formatting of the rules in mod_sec2 because the format is quite different than that of mod_sec1. In the mean time they will be using the default set and dealing with some trial/error.
Secure Cart Hosting
[CS-Cart Optimized Solutions and Server Management]