search

coreruleset / phpmyadmin-rule-exclusions-plugin

Rule exclusion plugin for phpMyAdmin.
Apache License 2.0
1 stars 5 forks source link

Error in processing request: 403 #19

Open Arien02 opened 5 hours ago

Arien02 commented 5 hours ago

Hi! I've found an error when trying to browse search results with phpmyadmin:

error_403

phpMyadmin version: 5.2.1 phpmyadmin-rule-exclusions-plugin: 1.0.0

Modsec audit:

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\" (7602 characters omitted)' against variable `ARGS:sql_query' (Value: `SELECT *  FROM `c1adolfodb`.`wp_options` WHERE (CONVERT(`option_id` USING utf8) LIKE '%http://%' OR  (157 characters omitted)' ) [file "/etc/nginx/modsec_v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "855"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ` WHERE found within ARGS:sql_query: SELECT *  FROM `c1adolfodb`.`wp_options` WHERE (CONVERT(`option_id` USING utf8) LIKE '%http://%' OR CONVERT(`option_name` USING utf8) LIKE '%http://% (108 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.7.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "xxx.xxx.xxx.xxx"] [uri "/phpmyadmin/index.php"] [unique_id "172932874158.530073"] [ref "o39,7v1025,257"]

Do you have any suggestion? Thank you!

azurit commented 3 hours ago

@Arien02 Hi, can you provide me with a full audit message? I need to see the value of a route parameter.

Arien02 commented 3 hours ago

I think this is all the message for this event:

`---cwTl5am9---A-- [19/Oct/2024:11:12:00 +0200] 172932912051.582156 xxx.xxx.xxx.xxx 1298 yyy.yyy.yyy.yyy 8081 ---cwTl5am9---B-- POST /phpmyadmin/index.php?route=/sql&db=c1defensamedb&table=wp_options&goto=index.php%3Froute%3D%2Fdatabase%2Fsql&pos=0&is_js_confirmed=0 HTTP/2.0 sec-gpc: 1 user-agent: Mozilla/5.0 (Windows NT 10.0; rv:131.0) Gecko/20100101 Firefox/131.0 sec-fetch-site: same-origin origin: https://xxxx.yyyyyyyyyyy.com:8081 dnt: 1 x-requested-with: XMLHttpRequest authorization: Basic YWRtaW5fcG1hOjhqJkh0Nnk1 content-type: application/x-www-form-urlencoded; charset=UTF-8 accept-encoding: gzip, deflate, br, zstd cookie: pma_lang_https=en; phpMyAdmin_https=baj2a3ita7v9gndqfq9u9o24ov; pmaUser-1_https=Fqf7Z4xEZ8%2Fr%2B4%2BLVw0Q8KBPhMkQ3qERNMjEVemxZYikUoJyzx1z7eQp2Oc%3D; pmaAuth-1_https=VsATXhEN%2BDxiepA2g8uW1zYZ4wOsI75eHZDGlTTpKO9IbPVEjDKU%2BLOmuhAGdPrxq%2BdWAbPBWB8bjUHgY0%2F8JRfe%2FSM%3D; ISPCSESS=a297k9npto2s0vq9bs6leofk6m content-length: 441 priority: u=0 accept-language: en-US,en;q=0.5 te: trailers accept: / host: xxxxx.yyyyyyyyyyy.com:8081 sec-fetch-dest: empty sec-fetch-mode: cors

---cwTl5am9---D--

---cwTl5am9---E--

\x0d\x0a403 Forbidden\x0d\x0a\x0d\x0a

403 Forbidden

\x0d\x0a
nginx
\x0d\x0a\x0d\x0a\x0d\x0a ---cwTl5am9---F-- HTTP/2.0 403 x-application-version: x-page-speed: x-powered-by: Connection: close X-XSS-Protection: 0 x-varnish: Content-Type: text/html Content-Length: 146 Date: Sat, 19 Oct 2024 09:12:00 GMT Server: Server: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: strict-origin-when-cross-origin X-Permitted-Cross-Domain-Policies: none ---cwTl5am9---H-- ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Rx' with parameter `(?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\" (7602 characters omitted)' against variable `ARGS:sql_query' (Value: `SELECT * FROM `c1defensamedb`.`wp_options` WHERE (CONVERT(`option_id` USING utf8) LIKE '%http://%' (160 characters omitted)' ) [file "/etc/nginx/modsec_v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "855"] [id "932380"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ` WHERE found within ARGS:sql_query: SELECT * FROM `c1defensamedb`.`wp_options` WHERE (CONVERT(`option_id` USING utf8) LIKE '%http://%' OR CONVERT(`option_name` USING utf8) LIKE '%http: (111 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.7.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "yyy.yyy.yyy.yyy"] [uri "/phpmyadmin/index.php"] [unique_id "172932912051.582156"] [ref "o42,7v1038,260"] ---cwTl5am9---I-- ---cwTl5am9---J-- ---cwTl5am9---Z--`
azurit commented 3 hours ago

The H section is completely messed up and useless. Please don't edit it except censoring sensitive data.

Arien02 commented 2 hours ago

Sorry! Updated with right copy&paste result.