search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.45k stars 726 forks source link

False positive with WordPress when hosted from http://example.com/update-prefix #1756

Open morko opened 4 years ago

morko commented 4 years ago

Description

Rule 942360 gets triggered when WordPress site is hosted from url like http://example.com/update-prefix and doing stuff in wp-admin area (navigating to http://example.com/update-prefix/wp-admin.

I fixed this by adding following exclusion rule:

SecAction \
    "id:1001,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=942360;ARGS:_wp_http_referer"

Audit Logs / Triggered Rule Numbers

Message: Warning. Pattern match "(?i:(?:^[\W\d]+\s?(?:alter\s(?:a(?:(?:pplication\srol|ggregat)e|s(?:ymmetric\ske|sembl)y|u(?:thorization|dit)|vailability\sgroup)|c(?:r(?:yptographic\sprovider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)| ..." at ARGS:_wp_http_referer. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "471"] [id "942360"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: /update found within ARGS:_wp_http_referer: /update-test/wp-admin/"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]

Your Environment

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

morko commented 4 years ago

This also happens at least WordPress wants to update the database making a request with /wp-admin/upgrade.php?step=1&backto=%2Fupdate-prefix%2Fwp-admin%2F so I also removed backto.

SecAction \
    "id:1001,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=942360;ARGS:_wp_http_referer,\
    ctl:ruleRemoveTargetById=942360;ARGS:backto"