Events calendar triggering false positives with Config Server security in cpanel

[ironandsteel]

Our website is running on a cpanel server which uses ConfigServer Security & Firewall – csf v8.08

http://spiritual-frontiers.com/

Some (or maybe all) people who click on a link that will open an event, experience a 403 error. At some point, CSF thinks that a SQL injection attack is happening and blacklists that person’s IP. Here are some of the error log entries including warnings, and then a 403 block. If I whitelist that IP, all is well.

I wonder if you have seen this kind of thing before?

[Mon Nov 30 15:45:29 2015] [error] [client 199.90.240.71] ModSecurity: Warning. Pattern match “(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\”]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))” at REQUEST_COOKIES:pdb-wp_session. [file “/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf”] [line “70”] [id “981319”] [rev “2”] [msg “SQL Injection Attack: SQL Operator Detected”] [data “Matched Data: || found within REQUEST_COOKIES:pdb-wp_session: 3e1e9c77fb8917b10c50c58b53937e1f||1448918124||1448917764”] [severity “CRITICAL”] [ver “OWASP_CRS/2.2.8”] [maturity “9”] [accuracy “8”] [tag “OWASP_CRS/WEB_ATTACK/SQL_INJECTION”] [tag “WASCTC/WASC-19”] [tag “OWASP_TOP_10/A1”] [tag “OWASP_AppSensor/CIE1”] [tag “PCI/6.5.2”] [hostname “spiritual-frontiers.com”] [uri “/”] [unique_id “Vly1aRcdPxMAABBwDBwAAAFL”]

[Mon Nov 30 15:45:29 2015] [error] [client 199.90.240.71] ModSecurity: Warning. Pattern match “([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\”\\\\’\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}” at ARGS:tribe_events. [file “/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf”] [line “159”] [id “981173”] [rev “2”] [msg “Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded”] [data “Matched Data: – found within ARGS:tribe_events: astrological-forecast-for-2016-phillip-young-january-7-2016”] [ver “OWASP_CRS/2.2.8”] [maturity “9”] [accuracy “8”] [tag “OWASP_CRS/WEB_ATTACK/SQL_INJECTION”] [hostname “spiritual-frontiers.com”] [uri “/”] [unique_id “Vly1aRcdPxMAABBwDBwAAAFL”]

[Mon Nov 30 15:45:29 2015] [error] [client 199.90.240.71] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(.*)” at TX:981319-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-REQUEST_COOKIES:pdb-wp_session. [file “/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf”] [line “26”] [id “981176”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=3, XSS=0): Last Matched Message: Restricted SQL Character Anomaly Detection Alert – Total # of special characters exceeded”] [data “Last Matched Data: ||”] [hostname “spiritual-frontiers.com”] [uri “/”] [unique_id “Vly1aRcdPxMAABBwDBwAAAFL”]

[George]

Hey @ironandsteel,

This is bizarre behavior and I have not seen this behavior at all before. I would recommend the following steps:

1. Share your “system information”.

To help us investigate possible reasons for this, can you start by sharing your “System Information” with us? Here’s how to do that → https://theeventscalendar.com/knowledgebase/sharing-sys-info/

2. Confirm permalinks settings.

Once you share that, can you then specify what your site’s “Permalinks” settings are? These settings are visible on a page in your wp-admin that literally resides at Settings > Permalinks in the wp-admin sidebar menu – e.g., are your site’s permalinks settings /%postname%/

3. Issue history

Finally, for now, can you share when this issue started happening? Have you just installed The Events Calendar for the first time and fount this problem? Have you had The Events Calendar installed for a long time and then this suddenly started happening out of nowhere? Any information you can provide on the history of how this used to not happen up to now when it is happening can be helpful!

Thank you!
George

[ironandsteel]

URL
http://spiritual-frontiers.com
INSTALL KEYS
events-calendar-pro = (I removed this for this public post)
tribe-wootickets = (I removed this for this public post)
WORDPRESS VERSION
4.3.1
PHP VERSION
5.4.37
PLUGINS
amr shortcode any widget version 2.9 by anmari(http://webdesign.anmari.com)
Cartpauj Register Captcha version 1.0.01 by Cartpauj(http://cartpauj.icomnow.com/)
Compact Audio Player version 1.9.3 by Tips and Tricks HQ(https://www.tipsandtricks-hq.com/)
Convert Address to Google Maps Link version 1.0 by Toby Cryns(http://www.themightymo.com)
Debug Bar Console version 0.3 by koopersmith(http://darylkoop.com/)
Debug Bar version 0.8.2 by wordpressdotorg(http://wordpress.org/)
Debug Info version 1.3.5 by Scott DeLuzio(https://surpriseazwebservices.com)
Easy Contact Forms version 1.4.9 by ChampionForms.com(http://championforms.com)
Email Obfuscate Shortcode version 2.0 by khromov(http://khromov.wordpress.com)
Event Rocket version 2.5 by Barry Hughes(http://codingkills.me)
Events Calendar Event Organizer Email version 1.0.1 by Theunis Cilliers(https://github.com/thebeard)
The Events Calendar PRO version 3.12 by Modern Tribe, Inc.(http://m.tri.be/20)
Hupso Share Buttons for Twitter, Facebook & Google+ version 4.0.3 by kasal
jQuery Updater version 2.1.4 by Ramoonus(http://www.ramoonus.nl/)
Login Widget With Shortcode version 5.1.5 by avimegladon(http://avifoujdar.wordpress.com/)
Nav Menu Roles version 1.7.3 by Kathy Darling(http://www.kathyisawesome.com)
Nice Login Widget version 1.3.10 by SuperPlugin Team(http://superplug.in/team/)
Obfuscate E-mail version 3.4 by Scott Reilly(http://coffee2code.com/)
Participants Database version 1.6.2.5 by Roland Barker(http://xnau.com)
PayPal Donations version 1.9.0 by Tips and Tricks HQ, Johan Steen(https://www.tipsandtricks-hq.com/)
Q2W3 Fixed Widget version 4.0.6 by Max Bond(http://www.q2w3.ru/)
Quick Page/Post Redirect Plugin version 5.1.5 by Don Fischer(http://www.fischercreativemedia.com/)
Shortcode Exec PHP version 1.52 by Marcel Bokhorst(http://blog.bokhorst.biz/about/)
Include HTML and PHP version 1.0 by Keithics(http://keithics.com)
WP SVG Icons version 3.1.8.3 by EH Dev Shop(http://evan-herman.com)
Swiftype Search version 1.1.47 by Swiftype, Inc.(http://swiftype.com)
TablePress Extension: DataTables Sorting plugins version 1.0 by Tobias Bäthge(http://tobias.baethge.com/)
TablePress version 1.6.1 by Tobias Bäthge(https://tobias.baethge.com/)
The Events Calendar version 4.0 by Modern Tribe, Inc.(http://m.tri.be/1x)
Ultimate Tables version 1.6.3 by extendyourweb.com(http://www.extendyourweb.com)
UpdraftPlus – Backup/Restore version 2.11.18.0 by UpdraftPlus.Com, DavidAnderson(https://updraftplus.com)
Use Google Libraries version 1.6.2.1 by Jason Penney(http://jasonpenney.net/)
Viper’s Video Quicktags version 6.5.2 by Viper007Bond(http://www.viper007bond.com/)
Widget Builder version 1.6.2 by Timothy Wood, Jonathan Brinley, Modern Tribe, Inc.(http://tri.be)
WooCommerce Grid / List toggle version 1.0.0 by jameskoster(http://jameskoster.co.uk)
WooCommerce Menu Cart version 2.5.7 by Jeremiah Prummer, Ewout Fernhout(http://www.wpovernight.com/)
WooCommerce My Account Widget version 0.5.0 by Bart Pluijms(http://www.geev.nl/)
WooCommerce Product Buyers version 0.1 by Lynn Kasdorf(http://barncattech.info)
WooCommerce version 2.4.10 by WooThemes(http://woothemes.com)
Woot Library version 1.3 by Barry Hughes(http://codingkills.me)
The Events Calendar: WooCommerce Tickets version 3.12 by Modern Tribe, Inc.(http://m.tri.be/28)
WP-Backgrounds Lite version 2.3 by InoPlugs(http://inoplugs.com)
WP Config File Editor version 1.5.2 by AHMeD SAiD(http://xptrdev.com)
WP External Links version 1.80 by Victor Villaverde Laan(http://www.freelancephp.net)
WP Google Analytics version 1.4.1 by Aaron D. Campbell(http://ran.ge/)
WP Help version 1.4.1 by Mark Jaquith(http://coveredwebservices.com/)
NETWORK PLUGINS
–
MU PLUGINS
–
THEME
Responsive Child 01
MULTISITE
–
SETTINGS
recurring_events_are_hidden = exposed
tribeEventsTemplate = full-width-page.php
tribeEventsBeforeHTML =
tribeEventsAfterHTML =

---

previous_ecp_versions = Array
(
[0] => 0
[1] => 3.1
[2] => 3.2
[3] => 3.3.1
[4] => 3.4.1
[5] => 3.6.1
[6] => 3.9.1
[7] => 3.12.1
[8] => 3.12.3
[9] => 3.12.6
)
latest_ecp_version = 4.0
welcome_notice = 1
donate-link =
postsPerPage = 10
liveFiltersUpdate =
showComments =
showEventsInMainLoop =
eventsSlug = events
singleEventSlug = event
multiDayCutoff = 00:00
defaultCurrencySymbol = $
embedGoogleMaps = 1
embedGoogleMapsZoom = 10
debugEvents =
stylesheetOption = tribe
tribeEnableViews = Array
(
[0] => list
[1] => month
[2] => week
[3] => day
[4] => map
[5] => photo
)
viewOption = list
tribeDisableTribeBar = 1
monthEventAmount = 6
disable_metabox_custom_fields = show
hideLocationSearch = 1
hideRelatedEvents = 1
defaultValueReplace =
defaultCountry =
custom-fields = Array
(
[0] => Array
(
[name] => _ecp_custom_1
[label] => Admission
[type] => text
[values] =>
)
)

hideSubsequentRecurrencesDefault =
userToggleSubsequentRecurrences =
geoloc_default_geofence = 35
geoloc_default_unit = miles
pro-schema-version = 3.12
eventsDefaultOrganizerID = 0
eventsDefaultVenueID = 1949
eventsDefaultAddress =
eventsDefaultCity =
eventsDefaultState =
eventsDefaultProvince =
eventsDefaultZip =
eventsDefaultPhone =
tribeEventsCountries =
last-update-message = 3.12.3
recurrenceMaxMonthsBefore = 24
recurrenceMaxMonthsAfter = 24
reverseCurrencyPosition =
earliest_date = 2011-01-06 19:15:00
latest_date = 2016-02-04 21:30:00
dateWithYearFormat = F j, Y
dateWithoutYearFormat = F j
monthAndYearFormat = F Y
weekDayFormat = D jS
dateTimeSeparator = @
timeRangeSeparator = –
datepickerFormat = 0
schema-version = 4.0
WORDPRESS TIMEZONE
America/New_York
SERVER TIMEZONE
UTC
COMMON LIBRARY DIR
/home/spirit44/public_html/wp-content/plugins/the-events-calendar/common/src/Tribe
COMMON LIBRARY VERSION
3.12a1

[ironandsteel]

Permalinks setting is default:
Default http://spiritual-frontiers.com/?p=123

The problems showed as soon as we ported the site over to its current location. The server is a standard cpanel system and is running ModSecurity. There are several other wordpress sites that are running fine, but this one has consistently had problems with triggering 403 errors and the commonality appears to be usage of the events calendar.

I am also pursuing relaxing the rules for this site, but I’m not sure that I’ll be able to do this.

Thanks for looking into this.

[George]

Thanks for all of this information!

There are few things worth going through here.

1: Inconsistent Plugin Versions

One thing I noticed from your System Information is that you’re using mismatched versions of Tribe software. For example, The Events Calendar is at version 4.0 but Events Calendar Pro is at version 3.12.

I am not saying that this itself is responsible for the problems you’re seeing, but mismatched versions definitely won’t help anything either.

And so before doing anything else here, I would recommend that you update Events Calendar Pro to version 4.0, and that you delete WooCommerce Tickets and use our new ticketing plugins in its place. Namely, Event Tickets and Event Tickets Plus, which since you’ve purchased WooCommerce Tickets in the past you automatically have a valid license for 🙂

Don’t be alarmed at the sound of this; the new plugins are very, very similar to the original WooCommerce Tickets plugin, but with more features. This article describes how to move from WooCommerce Tickets to Event Tickets Plus in more detail → https://theeventscalendar.com/knowledgebase/moving-to-event-tickets-plus/

---

Once all of your Modern Tribe software is humming along at version 4.0 across the board, I would recommend setting your permalinks to something like /%postname%/ – save the permalinks settings and have another look at the security warnings and such here, and see if anything improves.

---

If the above steps do not help, then unfortunately your next best step would be to contact your web host about these warnings and see if they have any more insight and why these notices are arising…

Thank you for your patience with this issue!

Sincerely,
George

[ironandsteel]

Ok- I have installed events cal pro 4.01, and installed Event Tickets and Event Tickets Pro.

I’ll be watching the logs closely for more 403 errors and see if anything changes.

This server hosts several other WordPress sites with no problems, but this is the only one running The Events Calendar, and the 403 errors I see happen when somebody clicks on an event to view it.

Thanks

[George]

Sounds good, keep us posted on things!

Also, I’m curious – have you changed your “Permalinks” settings to something like /%postname%/ ?

You do not have to do this right now – but if 403 errors persist, I would recommend trying out this change, and then as mentioned above if this does not help, proceed with contacting your web host.

Thank you!
George

[ironandsteel]

I don’t think I can safely change the permalinks setting because we use links to events in an archive list, and I can’t break those links. Changing permalinks would change the url of all existing events, right?

• This reply was modified 8 years, 5 months ago by ironandsteel.

[George]

Yes, it would change the permalinks – no worries if you cannot risk this at this time. In this case though, the next best step I can recommend would be to contact your web host.

— George

[Support Droid]

This topic has not been active for quite some time and will now be closed.

If you still need assistance please simply open a new topic (linking to this one if necessary)
and one of the team will be only too happy to help.

[Author]

Posts