False positives on default Nextcloud exception enabled

CRS-migration-bot commented 4 years ago

Issue originally created by user deepwather on date 2018-10-05 08:44:16. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1197.

Type of Issue

Bug fix of Nextcloud exclusions -> (false positives)

Description

Nextcloud exclusions is enabled in configuration as follwing:

SecAction \ "id:900130,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.crs_exclusions_drupal=0,\ setvar:tx.crs_exclusions_wordpress=0,\ setvar:tx.crs_exclusions_nextcloud=1,\ setvar:tx.crs_exclusions_dokuwiki=0,\ setvar:tx.crs_exclusions_cpanel=0"

Now when I try to upload files to Nextcloud or use the online txt-editor over the web-UI; The follwing "Path Traversal Attack" false positives happen.

The problem here is, that nextcloud uses four various paths for the file-upload: ->> The paths are: "/remote.php/webdav/" | "/public.php/webdav/" | "/remote.php/dav/" AND "/public.php/dav/" ->> here happens the False positive.

log entry.


[Tue Oct 02 12:35:50.014973 2018] [:error] [pid 20348] [client 185.232.64.161] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "83.150.6.68"] [uri "/"] [unique_id "W7NKBn8AAAEAAE98RioAAAAF"]
[Tue Oct 02 12:35:50.015120 2018] [:error] [pid 20348] [client 185.232.64.161] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "75"] [id "200002"] [msg "Failed to parse request body."] [data "XML parser error: XML: Failed parsing document."] [severity "CRITICAL"] [hostname "83.150.6.68"] [uri "/"] [unique_id "W7NKBn8AAAEAAE98RioAAAAF"]
[Tue Oct 02 14:47:55.317248 2018] [:error] [pid 30388] [client 83.150.6.68] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_BODY. [file "/etc/modsecurity/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /??/ found within REQUEST_BODY: MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\\x09\\xcd!\\xb8\\x01L\\xcd!This program cannot be run in DOS mode.\\x0d\\x0d\\x0a$\\x00\\x00\\x00\\x00\\x00\\x00\\x00PE\\x00\\x00L\\x01\\x04\\x00\\x03OkR\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x00\\x0e\\x03\\x0b\\x01\\x0..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application [hostname "sub.domain.com"] [uri "/remote.php/webdav/Weiteres/__Patrick, MYUSER Ordner/GOLE1/bootia.zip"] [unique_id "W7No**38AAAEAAHa03uEAAAAJ**"]
[Tue Oct 02 14:47:55.392567 2018] [:error] [pid 30388] [client 83.150.6.68] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "sub.domain.com"] [uri "/remote.php/webdav/Weiteres/SOMEPATH/bootia.zip"] [unique_id "W7No**38AAAEAAHa03uEAAAAJ**"]
[Tue Oct 02 14:47:55.515764 2018] [:error] [pid 30388] [client 83.150.6.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): Path Traversal Attack (/../); individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "sub.domain.com"] [uri "/remote.php/webdav/Weiteres/SOMEPATH/bootia.zip"] [unique_id "W7No**38AAAEAAHa03uEAAAAJ**"]
[Tue Oct 02 14:48:16.760746 2018] [:error] [pid 30345] [client 83.150.6.68] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity/crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "sub.domain.com"] [uri "/apps/files_texteditor/ajax/savefile"] [unique_id "W7NpEH8AAAEAAHaJOogAAAAI"]
[Tue Oct 02 14:48:16.769329 2018] [:error] [pid 30345] [client 83.150.6.68] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "sub.domain.com"] [uri "/apps/files_texteditor/ajax/savefile"] [unique_id "W7NpEH8AAAEAAHaJOogAAAAI"]
[Tue Oct 02 14:48:16.925076 2018] [:error] [pid 30345] [client 83.150.6.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Method is not allowed by policy; individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "sub.domain.com"] [uri "/apps/files_texteditor/ajax/savefile"] [unique_id "W7NpEH8AAAEAAHaJOogAAAAI"]
[Tue Oct 02 15:44:32.791112 2018] [:error] [pid 1691]  [client 83.150.6.68] ModSecurity: Warning. Matched phrase "..\\\\" at REQUEST_BODY. [file "/etc/modsecurity/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ..\\x5c found within REQUEST_BODY: PK\\x03\\x04\\x14\\x00\\x00\\x00\\x08\\x00\\x01\\x00!:\\xafW\\x1c\\xfa`\\x9e\\xa5\\x00(-\\xa7\\x00]\\x00\\x00\\x00GLI50T07S10_Android5.1_20160909_[Z8300_720X1280_gt911_AP6234]_userdebug andriod 64\\xce\\xbb/boot.img\\xec\\xbcwXSK\\x138|\\x02\\x08\\x08H\\xf0\\x8a\\xd8\\x10\\xa2\\xc6\\xebU\\xba\\xd2\\xa5\\x83\\x02\\x22\\x82\\xa0b\\x01\\x11!'r\\xe9\\x90P\\x94zi\\x22\\xc5\\xdeQDT\\x14\\x11\\xacT\\xe9\\x0a\\x0a\\x0a\\x08J\\x17\\x04\\x05\\x12B\\xef=\\xbf\\xdd\\x93\\xa0\\xf8^\\xef\\xfb~\\xcf\\xf3\\xfd\\xf1=\\xcf\\xef\\xbbG\\x93\\xb3gwfvvvfvf7\\..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "sub.domain.com"] [uri "/remote.php/dav/uploads/MYUSER/web-file-upload-fe96e335be787ce4e63be172fc00706d-1538487869693/0"] [unique_id "W7N2Pn8AAAEAAAabU98AAAAK"]
[Tue Oct 02 15:44:33.923658 2018] [:error] [pid 1691]  [client 83.150.6.68] ModSecurity: Warning. Matched phrase "../" at REQUEST_BODY. [file "/etc/modsecurity/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within REQUEST_BODY: PK\\x03\\x04\\x14\\x08\\x01!:\\xafW\\x1c\\xfa`\\x9e\\xa5(-\\xa7]GLI50T07S10_Android5.1_20160909_[Z8300_720X1280_gt911_AP6234]_userdebug andriod 64%u03bb/boot.img\\xbcwXSK\\x138|\\x02\\x08\\x08H\\x8a\\x10\\xa2U\\xba%u04a5\\x83\\x02\\x22\\x82\\xa0b\\x01\\x11!'r\\x90P\\x94zi\\x22QDT\\x14\\x11\\xacT\\x0a\\x0a\\x0a\\x08J\\x17\\x04\\x05\\x12B=\\xbf%u0753\\xa0\\xf8^\\xfb~\\xfd=\\xbbG\\x93\\xb3gwfvvvfvf7\\x07]zf&\\x86zk\\x8d<\\x11$\\x10\\x11\\x92)\\x93E%u0035\\xc0\\x18%u006e\\xc1~!\\x04\\x87\\x08!\\xbc?^\\x8e.dG\\x92'Q]\\x81`lbow%u01..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "sub.domain.com"] [uri "/remote.php/dav/uploads/MYUSER/web-file-upload-fe96e335be787ce4e63be172fc00706d-1538487869693/0"] [unique_id "W7N2Pn8AAAEAAAabU98AAAAK"]
[Tue Oct 02 15:44:34.711962 2018] [:error] [pid 1691]  [client 83.150.6.68] ModSecurity: Warning. Matched phrase "../" at REQUEST_BODY. [file "/etc/modsecurity/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within REQUEST_BODY: PK\\x03\\x04\\x14\\x08\\x01!:\\xafW\\x1c\\xfa`\\x9e\\xa5(-\\xa7]GLI50T07S10_Android5.1_20160909_[Z8300_720X1280_gt911_AP6234]_userdebug andriod 64\\xbb/boot.img\\xbcwXSK\\x138|\\x02\\x08\\x08H\\x8a\\x10\\xa2U\\xba\\xa5\\x83\\x02\\x22\\x82\\xa0b\\x01\\x11!'r\\x90P\\x94zi\\x22QDT\\x14\\x11\\xacT\\x0a\\x0a\\x0a\\x08J\\x17\\x04\\x05\\x12B=\\xbfS\\xa0\\xf8^\\xfb~\\xfd=\\xbbG\\x93\\xb3gwfvvvfvf7\\x07]zf&\\x86zk\\x8d<\\x11$\\x10\\x11\\x92)\\x93E5\\xc0\\x18n\\xc1~!\\x04\\x87\\x08!\\xbc?^\\x8e.dG\\x92'Q]\\x81`lbowN\\x22}\\x9d\\xa4n{\\x8cbmn..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "sub.domain.com"] [uri "/remote.php/dav/uploads/MYUSER/web-file-upload-fe96e335be787ce4e63be172fc00706d-1538487869693/0"] [unique_id "W7N2Pn8AAAEAAAabU98AAAAK"]
[Tue Oct 02 15:44:35.467231 2018] [:error] [pid 1691]  [client 83.150.6.68] ModSecurity: Warning. Matched phrase "../" at REQUEST_BODY. [file "/etc/modsecurity/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within REQUEST_BODY: PK\\x03\\x04\\x14\\x08\\x01!:\\xafW\\x1c\\xfa`\\x9e\\xa5(-\\xa7]GLI50T07S10_Android5.1_20160909_[Z8300_720X1280_gt911_AP6234]_userdebug andriod 64\\xbb/boot.img\\xbcwXSK\\x138|\\x02\\x08\\x08H\\x8a\\x10\\xa2U\\xba\\xa5\\x83\\x02\\x22\\x82\\xa0b\\x01\\x11!'r\\x90P\\x94zi\\x22QDT\\x14\\x11\\xacT\\x0a\\x0a\\x0a\\x08J\\x17\\x04\\x05\\x12B=\\xbfS\\xa0\\xf8^\\xfb~\\xfd=\\xbbG\\x93\\xb3gwfvvvfvf7\\x07]zf&\\x86zk\\x8d<\\x11$\\x10\\x11\\x92)\\x93E5\\xc0\\x18n\\xc1~!\\x04\\x87\\x08!\\xbc?^\\x8e.dG\\x92'Q]\\x81`lbowN\\x22}\\x9d\\xa4n{\\x8cbmn..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "sub.domain.com"] [uri "/remote.php/dav/uploads/MYUSER/web-file-upload-fe96e335be787ce4e63be172fc00706d-1538487869693/0"] [unique_id "W7N2Pn8AAAEAAAabU98AAAAK"]
[Tue Oct 02 15:44:36.342765 2018] [:error] [pid 1691]  [client 83.150.6.68] ModSecurity: Warning. Matched phrase "../" at REQUEST_BODY. [file "/etc/modsecurity/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within REQUEST_BODY: pk\\x03\\x04\\x14\\x08\\x01!:\\xafw\\x1c\\xfa`\\x9e\\xa5(-\\xa7]gli50t07s10_android5.1_20160909_[z8300_720x1280_gt911_ap6234]_userdebug andriod 64\\xbb/boot.img\\xbcwxsk\\x138|\\x02\\x08\\x08h\\x8a\\x10\\xa2u\\xba\\xa5\\x83\\x02\\x82\\xa0b\\x01\\x11!r\\x90p\\x94ziqdt\\x14\\x11\\xact \\x08j\\x17\\x04\\x05\\x12b=\\xbfs\\xa0\\xf8\\xfb~\\xfd=\\xbbg\\x93\\xb3gwfvvvfvf7\\x07]zf&\\x86zk\\x8d<\\x11$\\x10\\x11\\x92)\\x93e5\\xc0\\x18n\\xc1~!\\x04\\x87\\x08!\\xbc?\\x8e.dg\\x92q]\\x81`lbown}\\x9d\\xa4n{\\x8cbmnnge@]`\\xad\\xb5\\xad\\xa3\\x8d\\..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "sub.domain.com"] [uri "/remote.php/dav/uploads/MYUSER/web-file-upload-fe96e335be787ce4e63be172fc00706d-1538487869693/0"] [unique_id "W7N2Pn8AAAEAAAabU98AAAAK"]
[Tue Oct 02 15:44:37.675617 2018] [:error] [pid 1691]  [client 83.150.6.68] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "sub.domain.com"] [uri "/remote.php/dav/uploads/MYUSER/web-file-upload-fe96e335be787ce4e63be172fc00706d-1538487869693/0"] [unique_id "W7N2Pn8AAAEAAAabU98AAAAK"]
[Tue Oct 02 15:44:37.903271 2018] [:error] [pid 1691]  [client 83.150.6.68] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 25 - SQLI=0,XSS=0,RFI=0,LFI=25,RCE=0,PHPI=0,HTTP=0,SESS=0): Path Traversal Attack (/../); individual paranoia level scores: 25, 0, 0, 0"] [tag "event-correlation"] [hostname "sub.domain.com"] [uri "/remote.php/dav/uploads/MYUSER/web-file-upload-fe96e335be787ce4e63be172fc00706d-1538487869693/0"] [unique_id "W7N2Pn8AAAEAAAabU98AAAAK"]
[Thu Oct 04 08:47:06.845439 2018] [:error] [pid 4776] [client 178.197.228.90] ModSecurity: Warning. Invalid URL Encoding: Non-hexadecimal digits used at XML. [file "/etc/modsecurity/crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "444"] [id "920240"] [msg "URL Encoding Abuse Attack Attempt"] [data "/files/%video/%0001-12-30T00:34:08+00:34:08"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [hostname "sub.domain.com"] [uri "/remote.php/dav"] [unique_id "W7W3an8AAAEAABKotPgAAAAI"]
[Thu Oct 04 08:47:06.852653 2018] [:error] [pid 4776] [client 178.197.228.90] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "sub.domain.com"] [uri "/remote.php/dav"] [unique_id "W7W3an8AAAEAABKotPgAAAAI"]
[Thu Oct 04 14:36:40.003051 2018] [:error] [pid 6144] [client 188.61.52.3] ModSecurity: Warning. Matched phrase "..\\\\" at REQUEST_BODY. [file "/etc/modsecurity/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ..\\x5c found within REQUEST_BODY: \\x14ftypqt  qt  7kmoovlmvhd%u06f9\\xa4%u06f9\\xab\\x02X/\\xf5\\x01\\x01\\x01\\x01@\\x05\\x12\\x94trak\\x5ctkhd\\x0f%u06f9\\xa4%u06f9\\xab\\x01/\\xf5\\x01\\x01\\x01@$edts\\x1celst\\x01/\\xf5\\x01\\x12\\x0cmdia mdhd%u06f9\\xa4%u06f9\\xab\\xacD\\x0dU1hdlrmhlrsounappl\\x10Core Media Audio\\x11\\xb3minf\\x10smhd8hdlrdhlralisappl\\x17Core Media DataHandler$dinf\\x1cdref\\x01\\x0calis\\x01\\x11?stblstsd\\x01\\xbbmp4a\\x01\\x01\\x01\\x10\\xff\\xfe\\xacD\\x04\\x02\\x02\\x02,chand\\x01*[wave\\x0cfrmamp4a\\x0cmp4a3esds\\x0..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "sub.domain.com"] [uri "/public.php/webdav/IMG_5615.MOV"] [unique_id "W7YJQH8AAAEAABgAnmkAAAAT"]
[Thu Oct 04 14:36:42.989272 2018] [:error] [pid 6144] [client 188.61.52.3] ModSecurity: Warning. Matched phrase "..\\\\" at REQUEST_BODY. [file "/etc/modsecurity/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ..\\x5c found within REQUEST_BODY: \\x14ftypqt  qt  7kmoovlmvhd\\xf9\\xa4\\xf9\\xab\\x02X/\\xf5\\x01\\x01\\x01\\x01@\\x05\\x12\\x94trak\\x5ctkhd\\x0f\\xf9\\xa4\\xf9\\xab\\x01/\\xf5\\x01\\x01\\x01@$edts\\x1celst\\x01/\\xf5\\x01\\x12\\x0cmdia mdhd\\xf9\\xa4\\xf9\\xab\\xacD\\x0dU1hdlrmhlrsounappl\\x10Core Media Audio\\x11\\xb3minf\\x10smhd8hdlrdhlralisappl\\x17Core Media Data Handler$dinf\\x1cdref\\x01\\x0calis\\x01\\x11?stblstsd\\x01\\xbbmp4a\\x01\\x01\\x01\\x10\\xff\\xfe\\xacD\\x04\\x02\\x02\\x02,chand\\x01*[wave\\x0cfrmamp4a\\x0cmp4a3esds\\x03\\x80\\x80\\x8..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "sub.domain.com"] [uri "/public.php/webdav/IMG_5615.MOV"] [unique_id "W7YJQH8AAAEAABgAnmkAAAAT"][crit] Memory allocation failed, aborting process.

My temporary soulution was to switch off the responseBodyAccess of thous paths:

# Turn off requestBodyAccess for Nextcloud Upload:
SecRule REQUEST_URI "@rx ^/(remote|public).php/(web)?dav/.*$" "phase:1,nolog,pass,id:10007,ctl:requestBodyAccess=off,ctl:responseBodyAccess=off,msg:'Disabling requestBodyAccess, responseBodyAccess'"

Your Environment

CRS version (v3.2.0 - latest master):
ModSecurity version (2.9.2):
Web Server and version: latest apache
Operating System and version: Ubuntu

Confirmation

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

CRS-migration-bot commented 4 years ago

User dune73 commented on date 2018-10-05 09:15:24:

Thank you fro your submission deepwather.

Here is my summary of your Alerts:

1 Requests triggered an XML parser error. That's either a broken XML file you are uploading, or it's a ModSec / libxml bug.

The rest as follows:

      1 911100 Method is not allowed by policy
      1 920240 URL Encoding Abuse Attack Attempt
      1 930100 Path Traversal Attack (/../)
      7 930110 Path Traversal Attack (/../)

911100: Misconfiguration. You should allow the PUT method

920240: Your XML refers to the following file: /files/%video/%0001-12-30T00:34:08+00:34:08 %video looks like a violation to me. If it is legit and standard nextcloud behaviour, which might very well be, we might have to look into it. But maybe it's just a crazy filename.

930100: Your payload is binary. That results in random data and rule alerts on short patterns like this. Maybe we need to disable critical rules like this. Other opinions welcome.

930110: Dito

CRS-migration-bot commented 4 years ago

User fzipi commented on date 2019-10-05 12:38:30:

dune73 Do you think is anything left to be done here?

CRS-migration-bot commented 4 years ago

User fzipi commented on date 2019-10-05 12:39:24:

deepwather We did not receive additional comments from you, so we will be closing this issue.

CRS-migration-bot commented 4 years ago

User dune73 commented on date 2019-10-05 12:43:19:

I did not follow this, so I can not really tell. The report came for 3.2, so I think it is still valid unless we really solved the 930100/10 FPs.

CRS-migration-bot commented 4 years ago

User g4laad commented on date 2020-01-22 10:59:49:

Good morning,

A colleague of mine and myself had the same issue as deepwather . We uploaded a simple text file with "../../../" in it. It directly trigerred rule id "930100".

Message: Warning. Pattern match "(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_BODY. [file "/etc/httpd/modsecurity.d/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_BODY: ../../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client ] ModSecurity: Warning. Pattern match "(?i)(?:\\\\\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_BODY. [file "/etc/httpd/modsecurity.d/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within REQUEST_BODY: ../../../"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname ""] [uri "/remote.php/webdav/bob.txt"] [unique_id "XignrKpWDIEh**Z5vg9SXWwAAAAM**"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client ] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname ""] [uri "/remote.php/webdav/bob.txt"] [unique_id "XignrKpWDIEh**Z5vg9SXWwAAAAM**"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client ] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname ""] [uri "/remote.php/webdav/bob.txt"] [unique_id "XignrKpWDIEh**Z5vg9SXWwAAAAM**"] Apache-Handler: proxy-server Stopwatch: 1579689900014668 249880 (- - -) Stopwatch2: 1579689900014668 249880; combined=3941, p1=868, p2=2456, p3=94, p4=279, p5=243, sr=125, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0. Server: Apache/2.4.6 (CentOS) Engine-Mode: "DETECTION_ONLY"

After adding deepwather rule in the Nextcloud ruleset, Everything worked like a charm !

Your environment

CRS version : 3.2.0 (latest master)
ModSecurity version : 2.9.2
Web Server and version: apache 2.4.6
Operating System and version: Centos 7

DavidOsipov commented 4 years ago

Same here: ModSecurity: Warning. Matched "OperatorEq' with parameter 0' against variableREQBODY_ERROR' (Value: 1' ) [file "/etc/apache2/modsecurity.d/modsecurity.conf"] [line "53"] [id "200002"] [rev ""] [msg "Failed to parse request body."] [data "XML parsing error: XML: Failed parsing document."] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "******"] [uri "/remote.php/dav/files/********/"] [unique_id "159216500842.878630"] [ref "v1334,1"]

Exclusion rules for Nextcloud are on.

Environment

Nextcloud 19.0.0
CRS: 3.3.0
ModSecurity: 3.0.4
Apache 2.4.43
Ubuntu Focal Fossa 20.04 with kernel 5.4.0-37
libxml2 version 2.9.10

github-actions[bot] commented 4 years ago

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

azurit commented 3 years ago

Are you having problem also with newest Nextcloud exclusion rules package? https://raw.githubusercontent.com/coreruleset/coreruleset/v3.4/dev/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf

dune73 commented 3 years ago

@DavidOsipov, are you still interested in helping us to fix this issue? We lack some information and if we don't get it, we'll have to close this issue.

Magicrafter13 commented 3 years ago

Not sure if the same issue or not, but I cannot for the life of me get Nextcloud to load files/calendar/tasks/probably_more with CRS. /var/log/modsec_audit.log:

...

---ZBqaPVHS---B--
GET /nextcloud/apps/user_status/heartbeat HTTP/2.0
referer: my_domain/nextcloud/apps/user_status/heartbeat
content-type: application/json;charset=utf-8
origin: my_domain
dnt: 1
accept-encoding: gzip, deflate, br
content-length: 19
te: trailers
accept: application/json, text/plain, */*
sec-gpc: 1
host: my_domain

---ZBqaPVHS---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:content-length' (Value: `19' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "161"] [id "920170"] [rev ""] [msg "GET or HEAD Request with Body Content"] [data "19"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "redacted_lan_ip"] [uri "/nextcloud/apps/user_status/heartbeat"] [unique_id "in_reverse_order"] [ref "o0,3v0,3v508,2"]
ModSecurity: Access denied with code 200 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "redacted_lan_ip"] [uri "/nextcloud/apps/user_status/heartbeat"] [unique_id "can_you_tell_I_did_these"] [ref ""]

...

---MWqIrNr7---B--
GET /nextcloud/apps/user_status/heartbeat HTTP/2.0
referer: my_domain/nextcloud/apps/user_status/heartbeat
content-type: application/json;charset=utf-8
origin: my_domain
dnt: 1
accept-encoding: gzip, deflate, br
content-length: 19
te: trailers
accept: application/json, text/plain, */*
sec-gpc: 1
host: my_domain

---MWqIrNr7---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:content-length' (Value: `19' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "161"] [id "920170"] [rev ""] [msg "GET or HEAD Request with Body Content"] [data "19"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "redacted_lan_ip"] [uri "/nextcloud/apps/user_status/heartbeat"] [unique_id "did_I_really_copy_this_much_text"] [ref "o0,3v0,3v508,2"]
ModSecurity: Access denied with code 200 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "redacted_local_ip"] [uri "/nextcloud/apps/user_status/heartbeat"] [unique_id "it_never_ends"] [ref ""]

...

---jItMAN3H---B--
GET /nextcloud/apps/user_status/heartbeat HTTP/2.0
referer: my_domain/nextcloud/apps/user_status/heartbeat
content-type: application/json;charset=utf-8
origin: my_domain
dnt: 1
accept-encoding: gzip, deflate, br
content-length: 19
te: trailers
accept: application/json, text/plain, */*
sec-gpc: 1
host: my_domain

---jItMAN3H---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:content-length' (Value: `19' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "161"] [id "920170"] [rev ""] [msg "GET or HEAD Request with Body Content"] [data "19"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "redacted_lan_ip"] [uri "/nextcloud/apps/user_status/heartbeat"] [unique_id "really_sick_of_this"] [ref "o0,3v0,3v508,2"]
ModSecurity: Access denied with code 200 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "redacted_lan_ip"] [uri "/nextcloud/apps/user_status/heartbeat"] [unique_id "big_output"] [ref ""]

...

---Oy9Du1bT---B--
GET /nextcloud/apps/user_status/heartbeat HTTP/2.0
referer: my_domain/nextcloud/apps/user_status/heartbeat
content-type: application/json;charset=utf-8
origin: my_domain
dnt: 1
accept-encoding: gzip, deflate, br
content-length: 19
te: trailers
accept: application/json, text/plain, */*
sec-gpc: 1
host: my_domain

---Oy9Du1bT---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:content-length' (Value: `19' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "161"] [id "920170"] [rev ""] [msg "GET or HEAD Request with Body Content"] [data "19"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "redacted_lan_ip"] [uri "/nextcloud/apps/user_status/heartbeat"] [unique_id "getting_bored"] [ref "o0,3v0,3v508,2"]
ModSecurity: Access denied with code 200 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "redacted_lan_ip"] [uri "/nextcloud/apps/user_status/heartbeat"] [unique_id "just_in_case"] [ref ""]

...

---CR3awI0I---B--
GET /nextcloud/remote.php/dav/ HTTP/2.0
depth: 0
origin: my_domain
dnt: 1
x-nc-caldav-webcal-caching: On
referer: my_domain/nextcloud/remote.php/dav/
content-type: application/xml; charset=utf-8
x-requested-with: XMLHttpRequest
te: trailers
accept: */*
sec-gpc: 1
host: my_domain
content-length: 90

---CR3awI0I---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:content-length' (Value: `90' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "161"] [id "920170"] [rev ""] [msg "GET or HEAD Request with Body Content"] [data "90"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "redacted_lan_ip"] [uri "/nextcloud/remote.php/dav/"] [unique_id "um_what"] [ref "o0,3v0,3v529,2"]
ModSecurity: Access denied with code 200 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "redacted_lan_ip"] [uri "/nextcloud/remote.php/dav/"] [unique_id "numbers_go_here"] [ref ""]

...

And just for convenience, I'll list the rule IDs from each line here:

920170
949110

This probably isn't as important, but here are the REQUEST-*.conf rules I Include:
901, 903.9003, 905, 910-912, 920, 921, 930-933, 941-943, 949, 950-954, 959, 980 And finally, I have these lines in my crs-setup.conf

SecRule REQUEST_URI "@beginsWith /nextcloud/" setvar:tx.crs_exclusions_nextcloud=1 \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none"

fzipi commented 3 years ago

@Magicrafter13 All those requests are GET, but they include some payload which is not what you want. You need to use POST/PUT/PATCH .. practically anything but GET/HEAD for that.

Maybe you can add the C part of logging to see what is going on. You can add it globally with

# Log everything we know about a transaction.
SecAuditLogParts ABCIJDEFHZ

Or locally for example editing that rule and add +C:

SecRule REQUEST_URI "@beginsWith /nextcloud/" setvar:tx.crs_exclusions_nextcloud=1 \
 "id:900130,\
  phase:1,\
  nolog,\
  ctl:auditLogParts=+C,\
  pass,\
  t:none"

But in the end, I think this might be another bug in nextcloud...

dune73 commented 3 years ago

We talked about this in the April issue chat. Here is our conclusion:

This issue is probably depending on a Nextcloud bug. We are adding this to the general project to rewrite the entire Nextcloud rule exclusion set discussed here.

coreruleset / coreruleset