FP nextcloud office (collabora online)

[gbeliako]

Hello: Saving a nc office document using the web interface of collabora online has error 'cannot save due to invalid or out-of-date token'.

nginx log: 2024/02/14 18:03:41 [error] 81112#81112: *1375 [client myip] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/lib/nginx/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0-rc2"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "myip"] [uri "//index.php/apps/richdocuments/wopi/files/15631_ocw9mgv9cv3x/contents"] [unique_id "170somenumber"] [ref ""], client: myip, server: myserver, request: "POST //index.php/apps/richdocuments/wopi/files/numbers_characters/contents?access_token=accesstoken&access_token_ttl=0&permission=edit HTTP/1.1", host: "myserver"

Thanks

[EsadCetiner]

@gbeliako Nextcloud Office currently isn't supported by the Nextcloud Plugin, I'm working on a PR to add support for Nextcloud Office. I'll let you know when it's ready. As for the logs, can you provide the logs from modsec_audit.log? The log line you've provided is an anomoly scoring rule (949110), other rules in CRS will add points to a request and once it exceeds a certain threshold(5 by default), the request is blocked.

[gbeliako]

the relevant lines i think from the audit log:

---xyB3OzCe---F--
HTTP/2.0 403
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-=';script-src-elem 'strict-dynamic' 'nonce-=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org https://collabora.myserver;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self' nc: https://collabora.myserver;frame-ancestors 'self' https://collabora.myserver;worker-src 'self';form-action 'self' https://collabora.myserver
Set-Cookie: cookie; path=/; secure; HttpOnly; SameSite=Lax
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, must-revalidate
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Pragma: no-cache
Connection: close
Content-Encoding: gzip
X-Request-Id: ID
Server: nginx
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 12816
Date: Thu, 15 Feb 2024 09:57:50 GMT
Feature-Policy: autoplay 'self';camera 'none';fullscreen 'self' https://collabora.myserver;geolocation 'none';microphone 'none';payment 'none'
X-Robots-Tag: noindex, nofollow
X-Robots-Tag: noindex, nofollow
X-Frame-Options: SAMEORIGIN
Permissions-Policy: interest-cohort=()
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen

---xyB3OzCe---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<\?(?:=|php)?\s+' against variable `RESPONSE_BODY' (Value: `x14\xb4{b\xa2;\xba\F\xc2 (37229 characters omitted)' ) [file "/usr/lib/nginx/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "77"] [id "953120"] [rev ""] [msg "PHP source code leakage"] [data "Matched Data: <?\x0a found within RESPONSE_BODY"] [severity "3"] [ver "OWASP_CRS/4.0.0-rc2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-disclosure"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/118/116"] [tag "PCI/6.5.6"] [hostname "myip"] [uri "/apps/files/"] [unique_id "1061.05"] [ref "2816"]
ModSecurity: Access denied with code 403 (phase 4). Matched "Operator `Ge' with parameter `4' against variable `TX:BLOCKING_OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/usr/lib/nginx/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "186"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 4)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0-rc2"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "myip"] [uri "/apps/files/"] [unique_id "305"] [ref ""]

---xyB3OzCe---I--

---xyB3OzCe---J--

---xyB3OzCe---Z--

---pvbW7nVU---A--
[15/Feb/2024:20:58:36 +1100] 170 myip 44541 myip 443
---pvbW7nVU---B--
POST //index.php/apps/richdocuments/wopi/files/15631_ocw9mgv9cv3x/contents?access_token=token&access_token_ttl=0 HTTP/1.1
X-LOOL-WOPI-IsAutosave: false
Content-Length: 94498
X-LOOL-WOPI-IsModifiedByUser: true
User-Agent: COOLWSD HTTP Agent 23.05.8.4
X-COOL-WOPI-IsAutosave: false
X-COOL-WOPI-IsModifiedByUser: true
X-COOL-WOPI-ServerId: dd34
X-WOPI-Override: PUT
X-WOPI-ProofOld: value
X-WOPI-Proof: value
X-WOPI-TimeStamp: 6743329
X-LOOL-WOPI-Timestamp: 2024-02-14T13:78:21.000000Z
Authorization: Bearer eDrwj
X-COOL-WOPI-IsExitSave: false
Content-Type: application/octet-stream
X-LOOL-WOPI-IsExitSave: false
X-COOL-WOPI-Timestamp: 2024-02-14T13:28:21.000000Z
Host: myserver
Date: Thu, 15 Feb 2024 09:58:36

---pvbW7nVU---D--

---pvbW7nVU---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a

---pvbW7nVU---F--
HTTP/1.1 403
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: noindex, nofollow
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Permitted-Cross-Domain-Policies: none
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: text/html
X-Download-Options: noopen
Content-Length: 146
Date: Thu, 15 Feb 2024 09:58:36 GMT
Server: nginx
X-XSS-Protection: 1; mode=block

---pvbW7nVU---H--
ModSecurity: Warning. Matched "Operator `Within' with parameter `|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudev (16 characters omitted)' against variable `TX:content_type' (Value: `|application/octet-stream|' ) [file "/usr/lib/nginx/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "993"] [id "920420"] [rev ""] [msg "Request content type is not allowed by policy"] [data "|application/octet-stream|"] [severity "2"] [ver "OWASP_CRS/4.0.0-rc2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "myip"] [uri "//index.php/apps/richdocuments/wopi/files/15631_ocw9mgv9cv3x/contents"] [unique_id "1436"] [ref "o0,24v1697,24t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/usr/lib/nginx/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0-rc2"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "myip"] [uri "//index.php/apps/richdocuments/wopi/files/15631_ocw9mgv9cv3x/contents"] [unique_id "170799111692.461436"] [ref ""]

Thanks

[EsadCetiner]

@gbeliako Thank you, a PR is now available here: https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/pull/56

For rule 953120, it looks like ModSecurity isn't able to decompress the response body, are you running ModSecurity on a Reverse Proxy?

[gbeliako]

Thanks for the help. Correct, it's on an nginx reverse proxy.

[EsadCetiner]

@gbeliako That confirms my suspicion, thank you. The false positive with rule 953120 isn't specific to Nextcloud, it's caused by ModSecurity not being able to decode the response body, resulting in ModSecurity inspecting the encoded response body(Which the rules weren't designed to inspect). My suggestion is to either delete the response body rules (Or disable them), use a plugin to decode the response body or install ModSecurity directly on Nextcloud itself so ModSecurity can correctly inspect the response body.

[RedXanadu]

If you need to inspect response data then the responses should not be compressed. There are directives in ModSecurity to assist in forcing backend applications to not compress responses. If you still need or want compression then this can be done in front of ModSecurity.

If you don't need to inspect response data then no need to worry.