[Mailman-Users] Mod_Security

Thu Aug 2 12:58:40 EDT 2018

On 08/01/2018 09:43 AM, Bernie Cosell wrote:

> And I tried my program on the Bluehost version and I was greeted with 
>
> Not Acceptable!</title></head><body><h1>Not 
> Acceptable!</h1><p>An appropriate representation of the requested 
> resource could not be found on this server. This error was generated by 
> Mod_Security.<

mod_security is an Apache webserver module that has a complex ruleset
used to examine every request and response.  It attempts to detect and
prevent malicious activity.   Doc on https://www.modsecurity.org.

It is not uncommon for form submissions to run afoul of mod_security
rules.  Typically, there are cases where data is encoded in ways that
appear to be hiding something - e.g. %-encoding urls or POST data
where it's not necessary, excessively long URLs or large POSTs - and
so on.  There's a pretty large list.  Most are regex s applied at
various stages of request processing; some are based on things like
request size.  Some are rules that assume a pretty dumb web service;
where you know that Mailman can cope with constructs/sizes/encodings,
you're expected to disable those rules on the URLs that it serves.

There will be logs on the server that specify exactly what rule was
tripped, it's id, and the suspect input.

Then there are three courses of action possible:
 o The rule can be disabled by ID in the webserver config, for the specific
   mailman POST URL (or globally, but that's not smart).  It's also possible
   to completely disable mod_security for a URL or vhost - but that's also
   not advisable.
 o Mailman can be changed to not require input that trips the rule.
 o Your client can be changed not to generate input that trips the rule.

You will need help from someone with admin privs to at least share the logs,
if not make adjustments to the mod_security configuration.  Like any
protective filter, it takes some thought and analysis to make the right
changes.  That is the change that allows what you want, but doesn't open
an unintended attack surface.

In my experience, these issues are never caused by just one rule - if an
application trips one, waiving or fixing it will only get you to the next
one.  It can take a while to get to a workable ruleset.  It is generally
worth the trouble, as mod_security is effective at protecting against
quite a few exploits.  It does take a while to learn how it works and how
to teach it how to stay out of your way.

There are two things likely to be changed on the server end:
The webserver config file that will include directives to disable
specific rules on particular URLs.  And possibly a set of customized
rule overrides for Mailman.  (These can go in separate files that
are dropped in the rules directory.)

Once that's done, sharing the result with the MM community would save
others a lot of repeat effort.

Good hunting.