J!Extensions Store™
Forum
Welcome, Guest
Please Login to access forum.
Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO (1 viewing) 
Go to bottom
TOPIC: Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO
#3296
John Dagelmore
Admin
Posts: 3716
User Online Now
Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO Karma: 79  
Hi David,

below is the tech answer given by the hosting provider of my other customer experimenting your same issue.

Hope this will be helpful.

John

QUOTE:
This issue is caused by a combination of Apache Mod Ruid2 with Mod Security rules that use file-backed collections. This happens because Mod Ruid2 causes Mod Security to access /var/cpanel/secdatadir as the account which owns that domain, instead of as the "nobody" user.

We currently have an internal case open on this, FB-160281.

There are a couple of possible work-arounds for this issue:

1) Disable Mod Ruid2 via EasyApache.

OR

2) Disable the specific OWASP ModSecurity rules which use the "ip" collection. The specific ModSecurity rules on your server which use the "ip" collection can be found by searching for any rules that use "setvar:ip", "deprecatevar:ip", or "expirevar:ip" key words.

You can either choose to disable the entire rule-sets which contain more rules than just the ones that are causing the error via WHM >> Home >> Security Center >> ModSecurity Vendors >> Manage Vendors > Edit the OWASP vendor > disable the above config files, OR:

You could disable the specific rule ID numbers which use the "ip" collection via WHM >> Home >> Security Center >> ModSecurity Tools >> Rules List
 
Logged Logged  
  The administrator has disabled public write access.
#3335
David
Fresh Boarder
Posts: 17
User Offline
Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO Karma: 0  
Hi John,
Found this question of the Modsecurity forum - note that I did not find an answer !

With reference to the question below, note emoticons on page 3 of this thread. I hope it is of some use?

............................

I've got a problem with modsecurity, modsecurity-crs and a little
nasty unicode-symbol, the "MASCULINE ORDINAL INDICATOR" or in short: º

http://codepoints.net/U+00BA?lang=en

This nasty symbol causes multiple sql-injection rules:

Message: Pattern match
"(?i?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((?
..." at ARGS:address[street]. [file
"/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "209"] [id "981257"] [msg "Detects MySQL
comment-/space-obfuscated injections and backtick termination"] [data
"Matched Data: , n\xc2\xba 1, 1\xc2\xba - 1 found within
ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1,
1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

Message: Pattern match
"(?i?:union\\s*?(?:all|distinct|[(! <at> ]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4
..." at ARGS:address[street]. [file
"/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "223"] [id "981245"] [msg "Detects basic SQL authentication
bypass attempts 2/3"] [data "Matched Data: \xc2\xba 1, 1 found within
ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1,
1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

Message: Pattern match
"(?i?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(??or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor
..." at ARGS:address[street]. [file
"/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "245"] [id "981243"] [msg "Detects classic SQL injection
probings 2/2"] [data "Matched Data: \xc2\xba 1 found within
ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1,
1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]

I've configured

SecUnicodeCodePage 20127
SecUnicodeMapFile /etc/modsecurity/unicode.mapping

and the rules are using t:urlDecodeUni but there are still these
audit-events. I have no clue why, could someone help me with this?
 
Logged Logged  
  The administrator has disabled public write access.
#3336
David
Fresh Boarder
Posts: 17
User Offline
Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO Karma: 0  
Unfortunately the copy of the message I just sent is converting some parts into emoticons!
 
Logged Logged  
  The administrator has disabled public write access.
#3338
David
Fresh Boarder
Posts: 17
User Offline
Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO Karma: 0  
Hi John,

The rule that was being triggered by Modsecurity was #981257 (Detects MySQL comment -/space - obfuscated injections and backtick termination)

To try and get past this, I disabled #981257 and now get blocked by rule #981245....

Detects basic SQL authentication bypass attempts 2/3

Request:
GET /administrator/index.php?option=com_jmap&task=ajaxserver.display&format=json&data=%7B%22idtask%22%3A%22fetchSeoStats%22%2C%22template%22%3A%22json%22%2C%22param%22%3A%7B%7D%7D

Action Description:
Access denied with redirection to http://www.african-angler.net/ using status 302 (phase 2).

Justification:
Pattern match "(?i?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`])|(?:like\\s*?[\"'`]\\%)|(?:[\"'`]\\s*?like\\W*?[\"'`\\d])|(?:[\"'`]\\s*?(?:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&\\s+[\\s\\w]+=\\s*?\\w+\\s*? ..." at ARGS:data.

(note that I have migrated the site to african-angler.net)

So I disabled #981245 to see where we go...

I got hit with rule 981246...
www.african-angler.net 58.111.155.22 CRITICAL 302

Request:
GET /administrator/index.php?option=com_jmap&task=ajaxserver.display&format=json&data=%7B%22idtask%22%3A%22fetchSeoStats%22%2C%22template%22%3A%22json%22%2C%22param%22%3A%7B%7D%7D

Action Description:
Access denied with redirection to http://www.african-angler.net/ using status 302 (phase 2).

Justification:
Pattern match "(?i?:in\\s*?\\(+\\s*?select)|(??:n?and|x?x?or|div|like|between|and|not |\\|\\||\\&\\&\\s+[\\s\\w+]+(?:regexp\\s*?\\(|sounds\\s+like\\s*?[\"'`]|[=\\d]+x))|([\&quot;&#039;`]\\s*?\\d\\s*?(?:--|#))|(?:[\&quot;&#039;`][\\%&amp;&lt;&gt;^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[ ...&quot; at ARGS:data.

[b]So I disabled #981246 to see where we go... SUCCESS!!!!! SEO Stats works.[/b]

However, I am frightened to leave these rules disabled so I reset them all

I hope this helps.

Regard|[=\\d]+x))|([\"'`]\\s*?\\d\\s*?(?:--|#))|(?:[\"'`][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[ ...&quot; at ARGS:data.

[b]So I disabled #981246 to see where we go... SUCCESS!!!!! SEO Stats works.[/b]

However, I am frightened to leave these rules disabled so I reset t+\\d\\s*?(=|x?or|div|like|between|and))|(?:[ ..." at ARGS:data.

So I disabled #981246 to see where we go... SUCCESS!!!!! SEO Stats works.

However, I am frightened to leave these rules disabled so I reset them all

I hope this helps.

Regards
 
Logged Logged  
  The administrator has disabled public write access.
#3353
John Dagelmore
Admin
Posts: 3716
User Online Now
Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO Karma: 79  
Thanks David,

by the way in the upcoming version 3.7 we changed the way to communicate with the server to fetch the SEO stats, so we hope that this won't happen again despite the settings of Apache Modsecurity.

thanks a lot for your collaboration!

John
 
Logged Logged  
  The administrator has disabled public write access.
#3355
David
Fresh Boarder
Posts: 17
User Offline
Re:format-Parsererror: 200- SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSO Karma: 0  
Hi John,

Looking forward to 3.7

David
 
Logged Logged  
  The administrator has disabled public write access.
Go to top