keat Posted April 25, 2017 Share Posted April 25, 2017 I updated from 6.0.1 to 6.1.7 last night. Whilst the site appears to be working OK this morning, I'm unable to open up 'Statistics' resulting in a 500 error. Apache logs would suggest that this is triggering multiple OWASP mod sec rules. [Tue Apr 25 08:28:11.360741 2017] [:error] [pid 544:tid 140648707495680] [client xx.xx.xx.xxx] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/RESPONSE-80-CORRELATION.conf"] [line "37"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The Application Returned a 500-Level Status Code"] [tag "event-correlation"] [hostname "www.domain.com"] [uri "/admin.php"] [unique_id "WP76ihbjaLjsO1b4SPZQxgAAAIs"] [Tue Apr 25 08:28:11.360853 2017] [:error] [pid 544:tid 140648707495680] [client xx.xx.xx.xxx] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "39"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 4): The Application Returned a 500-Level Status Code"] [tag "event-correlation"] [hostname "www.domain.com"] [uri "/admin.php"] [unique_id "WP76ihbjaLjsO1b4SPZQxgAAAIs"] [Tue Apr 25 08:36:10.948880 2017] [:error] [pid 4635:tid 140648676026112] [client xx.xx.xx.xxx] ModSecurity: Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/RESPONSE-50-DATA-LEAKAGES.conf"] [line "14"] [id "970901"] [rev "3"] [msg "The Application Returned a 500-Level Status Code"] [data "Matched Data: 500 found within RESPONSE_STATUS: 500"] [severity "ERROR"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-information disclosure"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "www.domain.com"] [uri "/admin.php"] [unique_id "WP78ak2Y4tFUNFVw@JEwkgAAAI4"] [Tue Apr 25 08:41:57.745488 2017] [:error] [pid 5079:tid 140648749455104] [client xx.xx.xx.xxx] ModSecurity: Geo Lookup: Failed to lock proc mutex: Identifier removed [hostname "www.domain.com"] [uri "/admin.php"] [unique_id "WP79xRWqDyps6QnNHaJCjwAAAUc"] As I seem to be chasing one mod sec failure after the other, I disabled all mod sec rules, but even then I'm still unable to open up 'Statistics'. Only this time, rather than a 500 error, now I just get a blank screen, so I enabled ini-custom.inc.php to start to capture error logs, but now 'Statistics is working' Typically, no errors are generated. I enable the mod sec rules and I can still gain access to 'Statistics' Thinking, it must have been a blip, I disable ini-custom.inc.php and all of a sudden, Statistics stops working again. Subsequent renaming of ini-custom.inc.inc.php enables or disables statistics everytime. Any ideas ?? Quote Link to comment Share on other sites More sharing options...
foz1234 Posted April 25, 2017 Share Posted April 25, 2017 Hi Keat, not really helpful to your problem but just to let you know my Statistics is working as expected either with or without ini-custom.inc.php. i expect you have tried this but have you cleaned shop cache? in admin dashboard advanced i have noticed i don't get any php info up just a blank screen nothing to do with your issue but i just noticed it was empty. Quote Link to comment Share on other sites More sharing options...
keat Posted April 25, 2017 Author Share Posted April 25, 2017 I cleared the cache many times lat night as part of the update, and again this morning. I've just delved inside ini-custom.inc.php and notice that it has the following entries. ini_set('memory_limit', '256M'); ini_set('max_execution_time', '60'); Maybe one of these two entries are over riding something and allowing more memory or resources for something to run ?? Could this be related to the following entry in ini.inc.php 6.0.10 has an entry 'ini_set('memory_limit', '128M'); // Increase Memory Limit' 6.1.7 has nothing Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.