azurit
commented
2 years ago Any reviewers / testers?
Closed azurit closed 10 months ago
azurit
commented
2 years ago Any reviewers / testers?
azurit
commented
2 years ago @williamdes Currently no, have you encountered any problems with that endpoints while using CRS? False positives or so.
WaleedMortaja
commented
2 years ago Any reviewers / testers?
I have not heavy-tested it, however, the basic usage of PMA does not give false positives anymore. Thank you!
azurit
commented
2 years ago @WaleedMortaja Thank you very much! Which version of PMA are you using?
WaleedMortaja
commented
2 years ago @azurit PMA 5.2.0
WaleedMortaja
commented
2 years ago @azurit I was testing some configs and decided to try PMA setup feature. I found some false positives on the setup "export" page with URL /setup/index.php?page=form&formset=Export. The same for "import" and "Main Panel" pages.
Just clicking the "Apply" button in these pages gives the false positive.
azurit
commented
2 years ago @WaleedMortaja Can you, please, upload logs from ModSecurity?
azurit
commented
2 years ago @WaleedMortaja Can you try current version? Thank you.
azurit
commented
2 years ago @williamdes As you wished, now we have few rules also for /setup/ folder. :)
azurit
commented
2 years ago Old URL format can be considered as tested.
WaleedMortaja
commented
2 years ago @WaleedMortaja Can you try current version? Thank you.
@azurit It still has false postivies. I tried the setup's "export" page only, and got this log.
Note: some of the log is truncated or replaced with placeholders indicated by ##
Please inform me if there is a better way to provide the log.
For now, here is the log for "export":
--##PLACEHOLDER##-C--
##truncated##&Export-csv_separator=%2C&Export-csv_separator-userprefs-allow=on&Export-csv_enclosed=%22&Export-csv_enclosed-userprefs-allow=on&Export-csv_escaped=%22&Export-csv_escaped-userprefs-allow=on&Export-csv_terminated=AUTO&Export-csv_terminated-userprefs-allow=on&Export-csv_null=NULL&Export-csv_null-userprefs-allow=on&Export-csv_removeCRLF-userprefs-allow=on&Export-csv_columns-userprefs-allow=on&##truncated##
--##PLACEHOLDER##-F--
HTTP/1.1 403 Forbidden
Content-Length: 199
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--##PLACEHOLDER##-E--
--##PLACEHOLDER##-H--
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_separator. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_separator: export-csv_separator"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_separator-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_separator-userprefs-allow: export-csv_separator-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_enclosed. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_enclosed: export-csv_enclosed"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_enclosed-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_enclosed-userprefs-allow: export-csv_enclosed-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_escaped. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_escaped: export-csv_escaped"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_escaped-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_escaped-userprefs-allow: export-csv_escaped-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_terminated. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_terminated: export-csv_terminated"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_terminated-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_terminated-userprefs-allow: export-csv_terminated-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_null. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_null: export-csv_null"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_null-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_null-userprefs-allow: export-csv_null-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_removeCRLF-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_removeCRLF-userprefs-allow: export-csv_removecrlf-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_columns-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_columns-userprefs-allow: export-csv_columns-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 63)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_separator. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_separator: export-csv_separator"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_separator-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_separator-userprefs-allow: export-csv_separator-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_enclosed. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_enclosed: export-csv_enclosed"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_enclosed-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_enclosed-userprefs-allow: export-csv_enclosed-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_escaped. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_escaped: export-csv_escaped"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_escaped-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_escaped-userprefs-allow: export-csv_escaped-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_terminated. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_terminated: export-csv_terminated"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_terminated-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_terminated-userprefs-allow: export-csv_terminated-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_null. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_null: export-csv_null"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_null-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_null-userprefs-allow: export-csv_null-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_removeCRLF-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_removeCRLF-userprefs-allow: export-csv_removecrlf-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_columns-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_columns-userprefs-allow: export-csv_columns-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]@WaleedMortaja Thanks! Can you try it with current version?
WaleedMortaja
commented
2 years ago @azurit the setup/export is working now! The other pages still has problems.
Here is the log for setup/import (URL: /setup/index.php?page=form&formset=Import)
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_replace-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_replace-userprefs-allow: import-csv_replace-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_ignore-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_ignore-userprefs-allow: import-csv_ignore-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_terminated. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_terminated: import-csv_terminated"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_terminated-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_terminated-userprefs-allow: import-csv_terminated-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_enclosed. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_enclosed: import-csv_enclosed"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_enclosed-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_enclosed-userprefs-allow: import-csv_enclosed-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_escaped. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_escaped: import-csv_escaped"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_escaped-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_escaped-userprefs-allow: import-csv_escaped-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_col_names-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_col_names-userprefs-allow: import-csv_col_names-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]Here is the log for setup/Main Panel (URL: /setup/index.php?page=form&formset=Main)
Message: Warning. Matched phrase "dev/null" at ARGS:DefaultTransformations-External. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "500"] [id "932160"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: dev/null found within ARGS:DefaultTransformations-External: 0 -f/dev/null -i -wrap -q 1 1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]@WaleedMortaja Thanks, try now!
WaleedMortaja
commented
2 years ago @azurit All the setup pages are working now. I am not aware of any more FP currently.
Thank you for your efforts 😄
azurit
commented
2 years ago @WaleedMortaja Thank you very much for testing!
azurit
commented
1 year ago @williamdes pls what's difference between routes /database/export and /export?
williamdes
commented
1 year ago @williamdes pls what's difference between routes
/database/exportand/export?
It seems that one is more for tables and the other for databases I am not sure there is much different code between them Do you need some deeper information on those routes?
azurit
commented
1 year ago It seems that one is more for tables and the other for databases
For tables, there seems to be a /table/export route.
Do you need some deeper information on those routes?
No, i just need to know if i should:
It's more or less a philosophical question. :)
williamdes
commented
1 year ago It seems that one is more for tables and the other for databases
For tables, there seems to be a
/table/exportroute.Do you need some deeper information on those routes?
No, i just need to know if i should:
* add this route for database export rule * add this route for table export rule * create completely new ruleIt's more or less a philosophical question. :)
@MauricioFauth you created the controllers, maybe you could better answer this question?
But I would say that since it is not prefixed it could be used in different ways, so maybe a new rule?
MauricioFauth
commented
1 year ago @williamdes pls what's difference between routes
/database/exportand/export?
Initially the routes were a direct map with the files. For example:
server_export.php => /server/exportdb_export.php => /database/exporttbl_export.php => /table/exportexport.php => /exportNow, more routes are been added as we are extracting then from the controllers. As a lot of routes are doing too much.
Basically, /server/export, /database/export and /table/export only renders the related export page, and the /export route is the one doing the actual export.
azurit
commented
1 year ago @MauricioFauth Thanks, that helped a lot!
@MauricioFauth @williamdes What about this? What action it was?
POST /index.php?route=/
=== POST ARGUMENTS ===
ajax_request: true
server: 3
db: information_schema
guid: <censored>
access_time: 414
check_timeout: 1
_nocache: <censored>
token: <censored>
@MauricioFauth Thanks, that helped a lot!
@MauricioFauth @williamdes What about this? What action it was?
POST /index.php?route=/ === POST ARGUMENTS === ajax_request: true server: 3 db: information_schema guid: <censored> access_time: 414 check_timeout: 1 _nocache: <censored> token: <censored>
I guess it's the ping pong to check if the session expired?
williamdes
commented
1 year ago Hi @azurit We started development of 6.0 instead of 5.3. One breaking change is that we will have everything from 5.2 rules in a public directory
azurit
commented
1 year ago @williamdes Thanks for the info!
To all: New URL format can be considered as tested.
williamdes
commented
1 year ago @williamdes Thanks for the info!
To all: New URL format can be considered as tested.
Awesome, could you provide me a docker-compose.yml so I can test it ?
azurit
commented
1 year ago Awesome, could you provide me a
docker-compose.ymlso I can test it ?
@williamdes Unfortunately i'm not able to do so. @fzipi Can you, maybe, help?
fzipi
commented
10 months ago Just in case, please use Squash and merge here.
fzipi
commented
10 months ago @azurit To the best of my knowledge, I think I've fixed the conflict. Let me know if this is ready before merging.
azurit
commented
10 months ago @fzipi Thank you! Should be ready to merge.
Changes in this PR: