HTML5 Video Player Support Product Page

Answered

HTML5 Video Player Causes ModSecurity block in Apache

Asked 10 Sep 2015 19:13:17
1
has this question
10 Sep 2015 19:13:17 Dave Smith posted:
Hi DMX,
Interesting one for you. We tried to use the HTML5 Video Player earlier for some marketing material and it caused an alert/block in ModSecurity using the OWASP rule set and permanent block ban via the CSF firewall under running on CPanel WHM.

Please see below (have changed some details (IP and Host) for privacy reasons).

Time: Thu Sep 10 19:17:02 2015 +0100
IP: 12.34.56.78(Some.Host)
Failures: 5 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

[Thu Sep 10 19:16:44.847946 2015] [:error] [pid 28393] [client 12.34.56.78] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i?:,.*?[)\\\\da-f\\"'`][\\"'`](?:[\\"'`].*?[\\"'`]|\\\\Z|[^\\"'`]+))|(?:\\\\Wselect.+\\\\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\\\s*?\\\\(\\\\s*?space\\\\s*?\\\\())" at REQUEST_COOKIESrojekktor_controlbar. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"] [line "82"] [id "981257"] [rev "2"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: ,\\x22volume\\x22:0.5} found within REQUEST_COOKIESrojekktor_controlbar: {\\x22muted\\x22:false,\\x22volume\\x22:0.5}"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-mutli"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname
"some.domain"] [uri "/StandAlone/Media/Intro.mp4"] [unique_id "VfHJDFjQzBcAAG7p4OYAAAAI"]
...


Any idea what is going on?

Your help is very appreciated.

Thank you.

Replies

Replied 11 Sep 2015 07:12:13
11 Sep 2015 07:12:13 Teodor Kuduschiev replied:
Hello Dave,
Seems like your mod security settings are matching the volume config settings of the video player, as a security risk. The volume settings of the player are stored in a cookie and the value is: "\\x22volume\\x22:0.5" -> which in no way is dangerous.
Please contact your server admins about this, they should be able to fix this issue.
The video player is based on an open source/public library so there is nothing that can be changed there.
Replied 11 Sep 2015 11:29:31
11 Sep 2015 11:29:31 Dave Smith replied:
Hi Teodor,
In this circumstance I am the server administrator and don't really want to interfere with the rule set in ModSecurity as they do a great job as one of the layers within my security policy for this server. Unfortunately I shall have to seek an alternative to the HTML5 Video Player. Will try and contact the library developers and ascertain their knowledge of this issue.

Thanks for your time once again.
Replied 20 Mar 2024 08:43:42
20 Mar 2024 08:43:42 Sherron Mira replied:
Review the ModSecurity rules that are triggering the word hurdle blocks and determine if any of them are overly restrictive or causing false positives.

Reply to this topic