Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

False positive with WordPress when hosted from http://example.com/update-prefix #1756

Open
morko opened this issue May 11, 2020 · 1 comment
Open

False positive with WordPress when hosted from http://example.com/update-prefix #1756

morko opened this issue May 11, 2020 · 1 comment
Labels
False Positive

Comments

@morko
Copy link

morko commented May 11, 2020

Description

Rule 942360 gets triggered when WordPress site is hosted from url like http://example.com/update-prefix and doing stuff in wp-admin area (navigating to http://example.com/update-prefix/wp-admin.

I fixed this by adding following exclusion rule:

SecAction \
    "id:1001,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=942360;ARGS:_wp_http_referer"

Audit Logs / Triggered Rule Numbers

Message: Warning. Pattern match "(?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\srol|ggregat)e|s(?:ymmetric\ske|sembl)y|u(?:thorization|dit)|vailability\sgroup)|c(?:r(?:yptographic\sprovider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)| ..." at ARGS:_wp_http_referer. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "471"] [id "942360"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: /update found within ARGS:_wp_http_referer: /update-test/wp-admin/"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]

Your Environment

  • CRS version (e.g., v3.2.0): 3.2.0
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 2.9.3
  • Web Server and version (e.g., apache 2.4.41): Apache 2.4.41
  • Operating System and version: Ubuntu 20.04

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@morko
Copy link
Author

morko commented May 11, 2020

This also happens at least WordPress wants to update the database making a request with /wp-admin/upgrade.php?step=1&backto=%2Fupdate-prefix%2Fwp-admin%2F so I also removed backto.

SecAction \
    "id:1001,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=942360;ARGS:_wp_http_referer,\
    ctl:ruleRemoveTargetById=942360;ARGS:backto"

@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@morko