Phpmyadmin is being blocked by modsecurity

Hi guys,
I am still having problems with the virtualmin phpmyadmin installer script.

In virtualmin, if i go into a sub server (whilst logged in as the root user) and then install phpmyadmin whilst accepting all defaults, i cannot browse phpmyadmin at all. it throw a “forbidden, you dont have permission to access this resource” error.

Also, if i install phpmyadmin admin from the primary virtual server, I cannot add sub server databases to it!

When i check the apache error logs, Mod security seems to be what is blocking it…the question is, why does mod security have a problem with the Inbound Anomaly score? Is this my end that is causing the problem?

>     ModSecurity: Warning. Pattern match "(?i)([\\\\s\\"'`;\\\\/0-9\\\\=\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]+on\\\\w+[\\\\s\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]*?=)" at REQUEST_COOKIES:pmaUser-1_https. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "125"] [id "941120"] [rev "2"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 3oNAuw= found within REQUEST_COOKIES:pmaUser-1_https: {\\x22iv\\x22:\\x22yF6zNnkF82RXbFUV3oNAuw==\\x22,\\x22mac\\x22:\\x2280b45d3bd72479c21eddfe7153d15f42813e37d9\\x22,\\x22payload\\x22:\\x226cJbBzb/uAMGA1wzouTzHQ==\\x22}"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "membership.virtualsubserver.com"] [uri "/phpmyadmin/"] [unique_id "Xvs4YWic6bwAAFJZHVwAAAAR"]
>     [Tue Jun 30 23:04:33.582463 2020] [:error] [pid 21081:tid 140330808571648] [client 12.34.56.78:49719] [client 12.34.56.78] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "membership.virtualsubserver.com"] [uri "/phpmyadmin/"] [unique_id "Xvs4YWic6bwAAFJZHVwAAAAR"]
>     [Tue Jun 30 23:04:33.582760 2020] [:error] [pid 21081:tid 140330808571648] [client 12.34.56.78:49719] [client 12.34.56.78] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 2: Event Handler Vector"] [tag "event-correlation"] [hostname "membership.virtualsubserver.com"] [uri "/phpmyadmin/"] [unique_id "Xvs4YWic6bwAAFJZHVwAAAAR"]

Ok so it seems that mod security does not like phpmyadmin as it sees its input as being a kind of injection attack.
I dont want to disable mod security for this virtual server, ideas?

Perhaps enable debugging for modsecurity and see if you can find what rule is being triggered when you get the error\issue.

Dibs