Today i found my online phone system which utilises a combo of openVBX and twilio was failing with the automatic message of “Could Not Validate this request”
After a bit of troubleshooting i found a workaround – here’s my findings
Symptoms:
Twilio / OpenVBX call failing with “Could Not Validate this request” message.
Troubleshooting OpenVBX:
I logged into twilio for a start to ensure my account was in good standing, and to see if anything stood out.
I found in the call history / diagnostics provided by twilio calls it seemed to be getting a 403 and 403 response to the call to openVBX, I couldn’t replicate the error with my own call to the address but i had a lead. I could see some response, to the request in twilio, so it wasn’t outright blocking.
Into Apache / web server logs i go.
I decided to watch the apache logs for my site while i made a call to my twilio number, that routes into open VBX. Hmmm nothing out of the normal at all. and i was presented with the sdame failure message on the phone Could Not Validate this request.
Light bulb moment
I knew that twilio was reporting a 403 error when attempting to connect the call to my site. 403 is usually not authorized. I knew that Modsecurity often returns a 401 / forbidden message when it intercepts a request, however mod_sec logs didn’t yield anything
It got me thinking: I know i had recently upgraded my php to 5.6 on my cpanel server and with it any associated packages cpanel and php provide, including security suite suhosin
I decided to check my /var/log/messages and low and behold i found the culprit
suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CallerState' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'ToZip' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CallerZip' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CalledZip' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CalledCity' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'CallerCity' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'ToCity' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'FromCity' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'FromZip' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'FromState' (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php') suhosin[717848]: ALERT - dropped 10 request variables - (0 in GET, 10 in POST, 0 in COOKIE) (attacker 'x.x.x.x', file '/home/xxxx/public_html/index.php')
It seemed Suhosin was intercepting the data from twilio and dropping the data because of ASCII-NUL characters.
The hardest thing here is without root access to the server i would have never known, as these outputs are not in standard user logs.
For a quick fix to restore access to my phone system i added the following to my websites override php.ini (located in the www directory)
suhosin.cookie.disallow_nul = Off
suhosin.get.disallow_nul = Off
suhosin.post.disallow_nul = Off
suhosin.request.disallow_nul = Off
Now to find the cause as i dont really like disabling any security features, i’m assuming it was in the 5.6 compatible suhosin update with cpanel
Let me know if i was able to help you solve the Could Not Validate this request issue with your twilio/VBX integration