Open morko opened 4 years ago
This also happens at least WordPress wants to update the database making a request with /wp-admin/upgrade.php?step=1&backto=%2Fupdate-prefix%2Fwp-admin%2F
so I also removed backto
.
SecAction \
"id:1001,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942360;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942360;ARGS:backto"
Description
Rule 942360 gets triggered when WordPress site is hosted from url like
http://example.com/update-prefix
and doing stuff in wp-admin area (navigating tohttp://example.com/update-prefix/wp-admin
.I fixed this by adding following exclusion rule:
Audit Logs / Triggered Rule Numbers
Message: Warning. Pattern match "(?i:(?:^[\W\d]+\s?(?:alter\s(?:a(?:(?:pplication\srol|ggregat)e|s(?:ymmetric\ske|sembl)y|u(?:thorization|dit)|vailability\sgroup)|c(?:r(?:yptographic\sprovider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)| ..." at ARGS:_wp_http_referer. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "471"] [id "942360"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: /update found within ARGS:_wp_http_referer: /update-test/wp-admin/"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Your Environment
Confirmation
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.