Technology ramblings of a pro breaker and fixer.
Categories

OpenVbx + twilio Could Not Validate this request FIXED

Today i found my online phone system which utilises a combo of openVBX and twilio was failing with the automatic message of  “Could Not Validate this request”

After a bit of troubleshooting i found a workaround – here’s my findings

Symptoms:

Twilio / OpenVBX call failing with “Could Not Validate this request” message.

Troubleshooting OpenVBX:

I logged into twilio for a start to ensure my account was in good standing, and to see if anything stood out.

I found in the call history / diagnostics provided by twilio calls it seemed to be getting a 403 and 403 response to the call to openVBX, I couldn’t replicate the error with my own call to the address but i had a lead. I could see some response, to the request in twilio, so it wasn’t outright blocking.

Into Apache / web server logs i go.

I decided to watch the apache logs for my site while i made a call to my twilio number, that routes into open VBX. Hmmm nothing out of the normal at all. and i was presented with the sdame failure message on the phone Could Not Validate this request.

Light bulb moment

I knew that twilio was reporting a 403 error when attempting to connect the call to my site. 403 is usually not authorized. I knew that Modsecurity often returns a 401 / forbidden message when it intercepts a request, however mod_sec logs didn’t yield anything

It got me thinking: I know i had recently upgraded my php to 5.6 on my cpanel server and with it any associated packages cpanel and php provide, including security suite suhosin

I decided to check my /var/log/messages and low and behold i found the culprit

suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CallerState' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'ToZip' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CallerZip' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CalledZip' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CalledCity' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CallerCity' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'ToCity' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'FromCity' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'FromZip' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'FromState' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
suhosin[717848]: ALERT - dropped 10 request variables - (0 in GET, 10 in POST, 0 in COOKIE) (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')

It seemed Suhosin was intercepting the data from twilio and dropping the data because of  ASCII-NUL characters.

The hardest thing here is without root access to the server i would have never known, as these outputs are not in standard user logs.

For a quick fix to restore access to my phone system i added the following to my websites override php.ini (located in the www directory)

suhosin.cookie.disallow_nul = Off
suhosin.get.disallow_nul = Off
suhosin.post.disallow_nul = Off
suhosin.request.disallow_nul = Off

 

Now to find the cause as i dont really like disabling any security features, i’m assuming it was in the 5.6 compatible suhosin update with cpanel

Let me know if i was able to help you solve the Could Not Validate this request issue with your twilio/VBX integration

 

Leave a Reply