search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.45k stars 727 forks source link

NextCloud False Positive #1736

Open manuelroccon opened 4 years ago

manuelroccon commented 4 years ago

Type of Issue

False positive

Description

I've just configured rules. Last version of Nextcloud give me this errors.

Audit Logs / Triggered Rule Numbers

--4693d56e-A-- [11/Apr/2020:16:00:06 +0300] XpG-VqTsDq4eM7zXEJkhRwAAAEs 123.123.123.123 53284 123.123.123.123 443 --4693d56e-B-- PROPFIND /remote.php/dav/files/user/ HTTP/1.1 Host: nextcloud.domanin.it Depth: 0 Authorization: Basic= User-Agent: Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud) Accept: / Content-Type: text/xml; charset=utf-8 X-Request-ID: be437f90-c473-40a7-8b98-a519a3473402 Cookie: oc_sessionPassphrase=; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc20oosppk3h= Content-Length: 114 Connection: Keep-Alive Accept-Encoding: gzip, deflate Accept-Language: en-US,*

--4693d56e-C-- <?xml version="1.0" ?>

--4693d56e-F-- HTTP/1.1 207 Multi-Status X-Powered-By: PHP/7.3.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Security-Policy: default-src 'none'; Vary: Brief,Prefer DAV: 1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nc-calendar-search, nc-enable-birthday-calendar Strict-Transport-Security: max-age=15552000; includeSubDomains Referrer-Policy: no-referrer X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: none X-XSS-Protection: 1; mode=block Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/xml; charset=utf-8 --4693d56e-E-- --4693d56e-H-- Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] Message: Rule 55f46f63e438 [id "932100"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "124"] - Execution error - PCRE limits exceeded (-8): (null). Message: Rule 55f46f6510e8 [id "932105"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "162"] - Execution error - PCRE limits exceeded (-8): (null). Message: Rule 55f46f657438 [id "932110"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "261"] - Execution error - PCRE limits exceeded (-8): (null). Message: Rule 55f46f663088 [id "932115"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "302"] - Execution error - PCRE limits exceeded (-8): (null). Message: Rule 55f46f6f7288 [id "932150"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "479"] - Execution error - PCRE limits exceeded (-8): (null). Message: Rule 55f46ee2e918 [id "942360"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "486"] - Execution error - PCRE limits exceeded (-8): (null). Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f63e438 [id "932100"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "124"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f6510e8 [id "932105"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "162"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f657438 [id "932110"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "261"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f663088 [id "932115"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "302"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f6f7288 [id "932150"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "479"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46ee2e918 [id "942360"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "486"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"] Apache-Handler: proxy:fcgi://php-fpm Stopwatch: 1586610006171660 54186 (- - -) Stopwatch2: 1586610006171660 54186; combined=3589, p1=579, p2=2581, p3=73, p4=179, p5=177, sr=76, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0. Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips Engine-Mode: "DETECTION_ONLY" --4693d56e-Z-- ### Your Environment CRS version v.3.3dev: ModSecurity version 2.9.2: Web Server and version apache 2.4.6: Operating System and version: CentOs 7.7.1908 ### Confirmation [X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
fzipi commented 4 years ago

Hi @manuelroccon. Did you enable NextCloud exclusion rules in rule id:900130 in crs-setup.conf?

fzipi commented 4 years ago

@manuelroccon Any comments so we can figure this out?

manuelroccon commented 4 years ago

I use secremovebyid in apache vhost configuration. This is right method to fix this issue?

fzipi commented 4 years ago

Depends.

You need to first enable the exclusion rules for NextCloud. Can you please check the file crs-setup.conf, and search for 900130?

Then you need to have something like this:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_nextcloud=1"

That will effectively enable the exclusions we have for NextCloud. Without that, the rules to prevent this are not enabled!

fzipi commented 4 years ago

@manuelroccon Can you check this please? :point_up:

manuelroccon commented 4 years ago

ok, this exclusion rules not enabled in crs-setup.conf. But if i've more vhosts in my server with different CMS, can I put this exclusion directive only in vhost configuration that running Nextcloud?

fzipi commented 4 years ago

@manuelroccon You can also do this:

# It is recommended if you run multiple web applications on your site to limit
# the effects of the exclusion to only the path where the excluded webapp
# resides using a rule similar to the following example:
# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1

Give a quick look at the whole crs-setup.conf file to get a taste what you can do.

manuelroccon commented 4 years ago

@fzipi thank for your support,

The crs-setup.conf are default, i've not modify it of master brench.

I've read this recommendation about REQUEST_URI "@beginsWith /wordpress/" in crs-setup.conf, but REQUEST_URI of vhosts not start with specific pattern. All vhosts are separate domain. If i make this exclusion in crs-setup.conf is applied to all sites inside server.

So I think i must put this directive (SecAction "id:900130,) directly inside the apache vhost config, to apply this only specific vhost (in this case in nextcloud).

Is fine this tipe of configuration for you or there are other solutions?

fzipi commented 4 years ago

Hi @manuelroccon,

Hmmm.. :thinking: you will definitely need to apply this to a particular url/vhost. One technique I normally use in these cases is to use the SecWebAppId directive.

For example (you may need to modify it a bit, it is just a rough idea),

<VirtualHost Z.Z.Z.Z:44>
    SecWebAppId  my-nextcloud
...
...
</VirtualHost>

# And then:
SecRule WEBAPPID "@eq my-nextcloud" "setvar:tx.crs_exclusions_wordpress=1"

Please check the documentation for more examples.