fix: avatars and plain text files FPs

[Xhoenix]

• Avatars not loading in Nextcloud Desktop
• Cannot open plain text files in File Manager

[Xhoenix]

[Sat Mar 18 16:18:33.054585 2023] [:error] [pid 930822] [client 103.80.153.69:48448] [client 103.80.153.69] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "44"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "cloud.jitendrapatro.me"] [uri "/remote.php/dav/avatars/nextcloud_admin/128.png"] [unique_id "ZBWXAU9u_4dFYolXPZWzEwAAAAQ"]

@azurit Can you tell why it's blocking GET requests?

[Xhoenix]

[Sat Mar 18 18:05:29.133684 2023] [:error] [pid 28699] [client 127.0.0.1:44248] [client 127.0.0.1] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "44"] [id "911100"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "localhost"] [uri "/remote.php/dav/files/admin/Reasons%20to%20use%20Nextcloud.pdf"] [unique_id "ZBWwET994qkaDTbG_z5M2AAAAAE"]

This one is also the same. Can't open a pdf file.

[theseion]

This is because of the loading order. See #2. Moving the rules to phase 2 was the quick fix but that was obviously a mistake. You can work around the issue manually for now by following the suggestion in this comment: https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/issues/2#issuecomment-1304574373.

[azurit]

@GenialHacker What exactly you want to achieve with this exclusion rule?

[Xhoenix]

Open any file that contains text in them, from inside the file manager.

[azurit]

But you are matching Content-Type header in the request, not in response.

[azurit]

Sorry i don't understand what you are trying to do, you need to be more specific in the PR description. Also provide related log record. Thank you.

[Xhoenix]

@azurit, are you testing my knowledge? ;)

Content-Type header can be used both in request and response. Anyways, here is the log

[Tue Mar 21 00:50:02.304967 2023] [:error] [pid 13419] [client 127.0.0.1:36456] [client 127.0.0.1] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "984"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|text/plain|"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "localhost"] [uri "/remote.php/dav/files/admin/Readme.md"] [unique_id "ZBix4mufShzizoAUToFEPwAAAAM"]

[Xhoenix]

Another similar FP while accessing sidebar comments section

[Tue Mar 21 18:02:33.775542 2023] [:error] [pid 10950] [client 127.0.0.1:56358] [client 127.0.0.1] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "984"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|text/plain|"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "localhost"] [uri "/remote.php/dav/comments/files/37"] [unique_id "ZBmj4R37ORKZjMPHfdGv9wAAAAw"]

[Xhoenix]

Two more FPs   First when trying to access shares:-   [Tue Mar 21 20:08:32.933165 2023] [:error] [pid 84006] [client 127.0.0.1:39176] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)(?:^|=)[\\\\s\\\\v]*(?:t[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| &&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?i[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?m[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[ ..." at ARGS_NAMES:shared_with_me. [file "/etc/modsecurity/coreruleset/rules/REQUEST-932- APPLICATION-ATTACK-RCE.conf"] [line "454"] [id "932250"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: sh found within ARGS_NAMES:shared_with_me: shared_with_me"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/ocs/v2.php/apps/files_sharing/api/v1/shares"] [unique_id "ZBnBaIuP46e4C-fX7gSDlgAAAAQ"]

  Second when trying to create a share:-   [Tue Mar 21 20:08:49.103324 2023] [:error] [pid 84024] [client 127.0.0.1:48878] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)(?:^|=)[\\\\s\\\\v]*(?:t[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?i[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?-@_a-\\\\{]*)?\\\\x5c?m[\\"'\\\\)\\\\[-\\\\x5c]*(?:(?:(?:\\\\|\\\\| |&&)[\\\\s\\\\v]*)?\\\\$[ ..." at ARGS_NAMES:shareType. [file "/etc/modsecurity/coreruleset/rules/REQUEST-932- APPLICATION-ATTACK-RCE.conf"] [line "454"] [id "932250"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: sh found within ARGS_NAMES:shareType: shareType"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/ocs/v2.php/apps/files_sharing/api/v1/shares"] [unique_id "ZBnBeayMuETcCwNBO4PTKAAAAAg"]

[theseion]

Thanks @GenialHacker, I've opened a separate issue for those false positives, as they look too common for paranoia level 1.

[Xhoenix]

Today, I tried to upload the source code of some apps I maintain to my Nextcloud server via "Nextcloud Desktop" but not a single file was uploaded. I checked my logs and there were 18 new FPs. At this point, I've decided to stop this rule exclusion writing stuff. Things were not so bad in the CRS 3.3 release line.

Is there anyway I can run Nextcloud on PL 1, while running WordPress and other webapps on PL 2 on the same Apache installation? I looked through the documentation and couldn't find any appropriate solution.

[Xhoenix]

@azurit, will setting this rule in initialization force my NextCloud installation to run on PL 1?

SecRule REQUEST_URI_RAW "beginsWith https://cloud.myname.me" \
    "id:999999,\
    phase:1,\
    pass,\
    nolog,\
    ver:'OWASP_CRS/4.0.0-rc1',\
    setvar:'tx.blocking_paranoia_level=1'"

If yes, then will there be any downside to this? I know it is not recommended to edit the initialization file, but I can't think of another way.

[azurit]

@GenialHacker What do you mean by setting this rule in initialization?

[Xhoenix]

Did you the read comment just before that?

I meant in REQUEST-901-INITIALIZATION.conf

[azurit]

Did you the read comment just before that?

Sorry, no. :)

Yes, you can do what you want and run every site on different PL level but you need to make some modifications. There are multiple ways how to do this, i'm doing it like this:

1. I added one include into beginning of file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf: IncludeOptional /path/custom_user_settings.conf
2. In that included file i'm doing this:

   <IfModule security2_module>
   SecRule SERVER_NAME "@streq example.com" "phase:1,id:1,nolog,pass,setvar:tx.paranoia_level=1"
   SecRule SERVER_NAME "@streq example2.com" "phase:1,id:2,nolog,pass,setvar:tx.paranoia_level=2"
   SecRule SERVER_NAME "@streq example3.com" "phase:1,id:3,nolog,pass,setvar:tx.paranoia_level=3"
   </IfModule>

[Xhoenix]

1. I added one include into beginning of file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf: IncludeOptional /path/custom_user_settings.conf

Btw, this isn't mentioned in the documentation. Looks like its your own hack.

[Xhoenix]

Nope, your solution doesn't works. Are you sure it works for you?

Trying to upload a single yaml file results in the following SecAction. Take a look at the Anomaly scores. :)

[Thu Mar 23 02:06:15.819624 2023] [:error] [pid 1308753] [client 155.133.70.170:31034] [client 155.133.70.170] ModSecurity: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/coreruleset/rules/RESPONSE-980- CORRELATION.conf"] [line "96"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=149, detection=149, per_pl=55-94-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=89, XSS=0, RFI=0, LFI=0, RCE=50, PHPI=0, HTTP=5, SESS=0, COMBINED_SCORE=149)"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "reporting"] [hostname "cloud.jitendrapatro.me"] [uri "/index.php"] [unique_id "ZBtmv2q12NkKoOC41wnRuwAAAAw"]

I'm telling you man, NextCloud with CRS 4.0 is a mess. A scoring of 55 at PL 1 is a real pain.

[Xhoenix]

Btw, IncludeOptionalis an Apache configuration directive. Why the hell would it work inside a CRS configuration file?

[azurit]

Btw, IncludeOptionalis an Apache configuration directive. Why the hell would it work inside a CRS configuration file?

My solution is for Apache only.

[Xhoenix]

Are you testing me again, @azurit ? Looks suspiciously like you are. ;)

[Xhoenix]

Sorry if I offend. But once I become suspicious of someone, my brain cannot trust them completely again.

[Xhoenix]

Hey guys, I changed username from GenialHacker to Xhoenix.

[theseion]

@Xhoenix, @azurit is just short on time. Believe me, he knows what he's doing, he's a hoster :).

[Xhoenix]

@theseion I know that. People with 20+ years in InfoSec are very rare. I think he is trying to test me because I want to be a CRS member.

Btw, @theseion why aren't you a CRS member? You contribute a lot to this project.

[theseion]

I am a member ;)

[Xhoenix]

I only asked because you don't have the member tag. :)

Btw, did you say @azurit is a "hoster" as in "hosting provider"? That means he must be very busy. I didn't knew that. :(

[azurit]

@Xhoenix I'm not testing you, it's how i'm using it.

[Xhoenix]

No offense @azurit , if you can provide a link to an official Apache or Modsecurity or CRS documentation explaining what you did, then I'll believe you. Until then, let's not discuss this further.

[theseion]

I only asked because you don't have the member tag. :)

Weird. It's visible to me. 🤷

Btw, did you say @azurit is a "hoster" as in "hosting provider"?

Yes, precisely.

[azurit]

No offense @azurit , if you can provide a link to an official Apache or Modsecurity or CRS documentation explaining what you did, then I'll believe you. Until then, let's not discuss this further.

You asked me for a solution for presented problem and i provided you with one. It's up to you if you will use it or develop your own.

[Xhoenix]

Thanks for taking the time @azurit. I used my own solution, i.e, fix all FPs and stick with Paranoia Level 2. 🙂

[Xhoenix]

I'll submit more FPs at PL 1 once this PR gets sorted out.

[theseion]

Great stuff! Thanks for reporting everything!

[azurit]

I think this change should be part of the rule 9508110, there is no need to create a new rule.

[azurit]

@Xhoenix Do you consider it as something dangerous?

[azurit]

But, we're supposed to restrict things as much as possible without causing false positives. Is there any problem with adding another rule? I don't see any, but you're the expert here and I'll do what you suggest.

It is adding more complexity and latency (especially with @rx). In case you see a point in not allowing text/vcard for /remote.php/dav/comments endpoint, i suggest this:

• add |text/plain| to 9508110
• modify your rule 9508123 like this: SecRule REQUEST_FILENAME "@contains /remote.php/dav/comments" \

[Xhoenix]

See, no more @rx

[azurit]

@fzipi Something is wrong with FTW, can you be so kind and look at it? Thank you.

[theseion]

@azurit The branch needs to be rebased, that will solve the test / lint issues. @Xhoenix can you please rebase?

[Xhoenix]

@theseion can you force the merge?

[azurit]

Merged, thank you!