mod_security errors from lychee hosted on cpanel

permeable commented 3 years ago

Detailed description of the problem [REQUIRED]

I am using lychee v4.0.8 via cpanel on Hostwinds.com at https://nitikman.com/jay/lychee/public/

If I reload that URL between 10 and 15 times, the mod-security rules are being triggered on the domain:

Sun Jan 10 21:02:20.990510 2021] [:error] [pid 13820:tid 47666608117504] [client 104.168.168.13:51223] [client 104.168.168.13] ModSecurity: Warning. Pattern match "(?i)([\\\\s\\"'`;\\\\/0-9\\\\=\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]+on\\\\w+[\\\\s\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]*?=)" at REQUEST_COOKIES:lychee_session. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "44"] [id "941120"] [rev "2"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 9ON1RPeWVvcGgxcS9CYVMvMmgrRThUcDNCNWpuVGtpUERXN1c0ZWNmakY0VnlhTHljL0t4V2Z1RnpadEh4V1BXT1dLaEx6NVgzQlhzWllZZGtjY3dIemxzeWpVRkJJTUpEdlRRdGhVblpUWnBYSG4iLCJtYWMiOiJjYTBhZTkyOWQ2ZjA0MzNlNDExZWE0NGQyMGIzZjFlNDA4OWJmMzBlYjA4NDgyNjk2ZDM5YWFjZTg2MmIxNjVmIn0= found withinREQUEST_COOKIES:lychee_session: eyJpdiI6ImFnS3dwYXRMSWlYVEZMMllxaE5FRnc9PSIsInZhbHVlIjoiRGFKUUMzbFF5Ym5hQlhZNG9ON1RPeWVvcGgxcS9CYVMvMmgrRThUcDNCNWpuVGtpUERXN1c0ZWNmakY0VnlhTHljL0t4V2Z1RnpadEh4V1BXT1dLaEx6NVgzQlhzWllZZGtjY3dIemxzeWp..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platf [hostname "nitikman.com"] [uri "/jay/lychee/public/"] [unique_id "X-vb3LMzHKCwi48T68A7swAAANE"]
[Sun Jan 10 21:02:20.993125 2021] [:error] [pid 13820:tid 47666608117504] [client 104.168.168.13:51223] [client 104.168.168.13] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "nitikman.com"] [uri "/jay/lychee/public/"] [unique_id "X-vb3LMzHKCwi48T68A7swAAANE"]
[Sun Jan 10 21:02:20.994823 2021] [core:error] [pid 13820:tid 47666608117504] [client 104.168.168.13:51223] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
[Sun Jan 10 21:02:20.995179 2021] [:error] [pid 13820:tid 47666608117504] [client 104.168.168.13:51223] [client 104.168.168.13] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 2: Event Handler Vector"] [tag "event-correlation"] [hostname "nitikman.com"] [uri "/index.php"] [unique_id "X-vb3LMzHKCwi48T68A7swAAANE"]
[Sun Jan 10 21:02:21.478704 2021] [:error] [pid 13820:tid 47666616522496] [client 104.168.168.13:51222] [client 104.168.168.13] ModSecurity: Warning. Pattern match "(?i)([\\\\s\\"'`;\\\\/0-9\\\\=\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]+on\\\\w+[\\\\s\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]*?=)" at REQUEST_COOKIES:lychee_session. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "44"] [id "941120"] [rev "2"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 9ON1RPeWVvcGgxcS9CYVMvMmgrRThUcDNCNWpuVGtpUERXN1c0ZWNmakY0VnlhTHljL0t4V2Z1RnpadEh4V1BXT1dLaEx6NVgzQlhzWllZZGtjY3dIemxzeWpVRkJJTUpEdlRRdGhVblpUWnBYSG4iLCJtYWMiOiJjYTBhZTkyOWQ2ZjA0MzNlNDExZWE0NGQyMGIzZjFlNDA4OWJmMzBlYjA4NDgyNjk2ZDM5YWFjZTg2MmIxNjVmIn0= found withinREQUEST_COOKIES:lychee_session: eyJpdiI6ImFnS3dwYXRMSWlYVEZMMllxaE5FRnc9PSIsInZhbHVlIjoiRGFKUUMzbFF5Ym5hQlhZNG9ON1RPeWVvcGgxcS9CYVMvMmgrRThUcDNCNWpuVGtpUERXN1c0ZWNmakY0VnlhTHljL0t4V2Z1RnpadEh4V1BXT1dLaEx6NVgzQlhzWllZZGtjY3dIemxzeWp..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platf [hostname "nitikman.com"] [uri "/favicon.ico"] [unique_id "X-vb3bMzHKCwi48T68A7tgAAANU"], referer: http://nitikman.com/jay/lychee/public/
[Sun Jan 10 21:02:21.481450 2021] [:error] [pid 13820:tid 47666616522496] [client 104.168.168.13:51222] [client 104.168.168.13] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "nitikman.com"] [uri "/favicon.ico"] [unique_id"X-vb3bMzHKCwi48T68A7tgAAANU"], referer: http://nitikman.com/jay/lychee/public/
[Sun Jan 10 21:02:21.483845 2021] [core:error] [pid 13820:tid 47666616522496] [client 104.168.168.13:51222] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://nitikman.com/jay/lychee/public/
[Sun Jan 10 21:02:21.484182 2021] [:error] [pid 13820:tid 47666616522496] [client 104.168.168.13:51222] [client 104.168.168.13] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 2: Event Handler Vector"] [tag "event-correlation"] [hostname "nitikman.com"] [uri "/index.php"] [unique_id "X-vb3bMzHKCwi48T68A7tgAAANU"], referer: http://nitikman.com/jay/lychee/public/

The Lychee application is triggering the mod_security policy and breaks the application. I get 403 Forbidden responses:

The support staff at my host provider says:

As mentioned earlier, it's the Apache Mod-Security rules causing the issue. Some rules are being triggered on the domain http://nitikman.com/, especially inner links /jay/lychee/public/ .

So it's clear that something related to code is conflicting with the standard Mod_Security rules of the server.

So it's better to check with a developer to get rid of this issue.

Steps to reproduce the issue

Browse to http://nitikman.com/jay/lychee/public/ You will see the entry point to my Lychee instance
Refresh the browser window multiple times. Somewhere between 5-15 refreshes, you will receive an API error and then a 403 Forbidden error.

The only way to recover is to delete the two cookies for nitikman.com from the browser.

Output of the diagnostics [REQUIRED]

Diagnostics
    -------
    Info: Latest version of PHP is 7.4
    Warning: You may experience problems when uploading a photos of large size. Take a look in the FAQ for details.
    Warning: You may experience problems when uploading a large amount of photos. Take a look in the FAQ for details.
    Warning: Pictures that are rotated lose their metadata! Please install Imagick to avoid that.
    Warning: Dropbox import not working. dropbox_key is empty.

    System Information
    --------------
    Lychee Version (release):        4.0.8
    DB Version:                      4.0.8

    composer install:                --no-dev
    APP_ENV:                         production
    APP_DEBUG:                       false

    System:                          Linux
    PHP Version:                     7.3
    Max uploaded file size:          64M
    Max post size:                   64M
    MySQL Version:                   10.0.38-MariaDB-cll-lve

    Imagick:                         -
    Imagick Active:                  1
    Imagick Version:                 -
    GD Version:                      bundled (2.1.0 compatible)

    Config Information
    --------------
    version:                         040008
    check_for_updates:               0
    sorting_Photos_col:              takestamp
    sorting_Photos_order:            ASC
    sorting_Albums_col:              title
    sorting_Albums_order:            ASC
    imagick:                         1
    skip_duplicates:                 0
    small_max_width:                 0
    small_max_height:                360
    medium_max_width:                1920
    medium_max_height:               1080
    lang:                            en
    layout:                          1
    image_overlay:                   1
    image_overlay_type:              desc
    default_license:                 reserved
    compression_quality:             90
    full_photo:                      1
    delete_imported:                 0
    Mod_Frame:                       1
    Mod_Frame_refresh:               30
    thumb_2x:                        1
    small_2x:                        1
    medium_2x:                       1
    landing_page_enable:             0
    landing_owner:                   Dan Garlock
    landing_title:                   Dan Garlock
    landing_subtitle:                Photography
    landing_facebook:                https://www.facebook.com/JohnSmith
    landing_flickr:                  https://www.flickr.com/JohnSmith
    landing_twitter:                 https://www.twitter.com/JohnSmith
    landing_instagram:               https://instagram.com/JohnSmith
    landing_youtube:                 https://www.youtube.com/JohnSmith
    landing_background:              dist/cat.jpg
    site_title:                      Lychee v4
    site_copyright_enable:           1
    site_copyright_begin:            2021
    site_copyright_end:              2021
    additional_footer_text:          
    display_social_in_gallery:       0
    public_search:                   1
    SL_enable:                       0
    SL_for_admin:                    0
    public_recent:                   0
    recent_age:                      1
    public_starred:                  0
    downloadable:                    0
    photos_wraparound:               1
    map_display:                     0
    zip64:                           1
    map_display_public:              0
    map_provider:                    Wikimedia
    force_32bit_ids:                 0
    map_include_subalbums:           0
    update_check_every_days:         3
    has_exiftool:                    0
    share_button_visible:            0
    import_via_symlink:              0
    has_ffmpeg:                      0
    location_decoding:               0
    location_decoding_timeout:       30
    location_show:                   0
    location_show_public:            0
    rss_enable:                      0
    rss_recent_days:                 7
    rss_max_items:                   100
    prefer_available_xmp_metadata:   0
    editor_enabled:                  1
    lossless_optimization:           0
    swipe_tolerance_x:               150
    swipe_tolerance_y:               250
    local_takestamp_video_formats:   .avi|.mov
    log_max_num_line:                1000
    unlock_password_photos_with_url_param: 0

Browser and system

I have reproduced on Chrome and Safari

kamil4 commented 3 years ago

One of the other developers will need to have a look as I have no experience with mod_security.

Were you going to quote the response of the support staff at your host provider though? Because that paragraph is cut off at the quotation mark...

permeable commented 3 years ago

Fixed missing quote

d7415 commented 3 years ago

My suspicion is that they have mod_security configured too strictly for anything like Lychee to work. A similar possibility (as you only experienced issues after multiple queries close together) is that it's set low enough that it sees the multiple requests as an attack.

Either way my hunch leads to their end unless someone can explain otherwise.

The 3 log entries seem to be:

"I don't like that cookie - it looks like an attack"
"This looks similar to that cookie one - it must be an attack too"
"There are too many redirects" which may be because it's blocking Lychee's normal operation with the first 2.

permeable commented 3 years ago

Well since my provider will not disclose their mod_security rules, I have no recourse but to delete my lychee instance and move on. I admit that lychee looks better than the runner up, Piwigo, which does not conflict with my host provider's mod_security rules.

LycheeOrg / Lychee