fix FP when trying to update a page

[Xhoenix]

[Sat Mar 11 19:17:21.667279 2023] [:error] [pid 307003] [client 103.80.153.172:34666] [client 103.80.153.172] ModSecurity: Warning. String match within "/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/" at TX:header_name_x-http-method-override. [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1156"] [id "920450"] [msg "HTTP header is restricted by policy (/x-http-method-override/)"] [data "Restricted header detected: /x-http-method-override/"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/12.1"] [hostname "blog.jitendrapatro.me"] [uri "/wp-json/wp/v2/pages/433"] [unique_id "ZAyGadfHqbffM75p0nOlBAAAAAA"], referer: https://blog.jitendrapatro.me/wp-admin/post.php?post=433&action=edit

Some request headers are recently added based on this blog post. The x-http-method-override header prevents updating a WordPress page at PL 1. I can't even update my own Homepage due to this.

[azurit]

Is WordPress really using x-http-method-override HTTP header?

[Xhoenix]

Looks like it does.

[azurit]

Is it done by vanilla WP or a plugin? Can you re-check it?

[Xhoenix]

I don't use plugins due to security reasons.

[Xhoenix]

Just checked again in my local installation with all plugins disable, and the header still shows up.

Checked WordPress source code and the header appears quite a few times.

[Xhoenix]

This is just an excerpt and it used more times than that.

[Xhoenix]

Hey @azurit, I just checked and I can't update my blog posts too because of the above problem.

[Sun Mar 12 02:03:06.574963 2023] [:error] [pid 325653] [client 103.80.153.172:43580] [client 103.80.153.172] ModSecurity: Warning. String match within "/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/" at TX:header_name_x-http-method-override. [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1156"] [id "920450"] [msg "HTTP header is restricted by policy (/x-http-method-override/)"] [data "Restricted header detected: /x-http-method-override/"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/12.1"] [hostname "blog.jitendrapatro.me"] [uri "/wp-json/wp/v2/posts/1950"] [unique_id "ZAzlgoZr3G-7fEfwR7y61gAAAAM"], referer: https://blog.jitendrapatro.me/wp-admin/post.php?post=1950&action=edit

Looks like I've to update my PR.

[Xhoenix]

[Sun Mar 12 13:17:46.667683 2023] [:error] [pid 368742] [client 103.80.153.69:53190] [client 103.80.153.69] ModSecurity: Warning. Pattern match "(?:\\\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\\\$_(?:(?:pos|ge)t|session))\\\\b" at RESPONSE_BODY. [file "/etc/modsecurity/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "69"] [id "953110"] [msg "PHP source code leakage"] [data "Matched Data: move_uploaded_file found within RESPONSE_BODY"] [severity "ERROR"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-disclosure"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/118/116"] [tag "PCI/6.5.6"] [hostname "blog.jitendrapatro.me"] [uri "/wp-admin/post.php"] [unique_id "ZA2DotE_J1z5ZYDE2_0iLwAAAAE"], referer: https://blog.jitendrapatro.me/wp-admin/edit.php?post_type=post&paged=2

FP at PL 1 due to move_uploaded_file function used in WordPress.

[azurit]

@GenialHacker Regarding move_uploaded_file, how exactly errors messages looks like? Is this the only error message which contains it? PHP: move_uploaded_file(): Unable to move '/path/to/temp/file' to '/path/to/destination/file'

[azurit]

Checked WordPress source code and the header appears quite a few times.

What version of WP? I'm hosting thousands of WP sites and haven't noticed this problem so far.

[Xhoenix]

@GenialHacker Regarding move_uploaded_file, how exactly errors messages looks like? Is this the only error message which contains it?

Removed the rule. I checked again and the problem is actually in my blog post which was about auditing PHP code for PATH traversal vulns. https://blog.jitendrapatro.me/owasp-a12017-injection/

Should I open a PR adding it to php-errors-pl2.data or I should write my own exclusion?

[Xhoenix]

What version of WP? I'm hosting thousands of WP sites and haven't noticed this problem so far.

You probably need to update your CRS installation to the latest code. This FP showed up after I pulled the latest CRS code that day.

WordPress 6.1.1

Maybe you should rather check whether the rule 920450 in REQUEST-920-PROTOCOL-ENFORCEMENT.conf contains the added restricted headers.

[Xhoenix]

One more FP

[Tue Mar 21 14:27:54.825444 2023] [:error] [pid 1181882] [client 103.80.153.69:51440] [client 103.80.153.69] ModSecurity: Warning. String match within "/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/" at TX:header_name _x-http-method-override. [file "/etc/modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1156"] [id "920450"] [msg "HTTP header is restricted by policy (/x-http-method-override/)"] [data "Restricted header detected: /x-http-method-override/"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/12.1"] [hostname "blog.jitendrapatro.me"] [uri "/wp-json/wp/v2/users/me"] [unique_id "ZBlxktmbLo4Snh6KUfrAmQAAAAI"], referer: https://blog.jitendrapatro.me/wp-admin/post.php?post=433&action=edit

[Xhoenix]

There are more FPs at PL 1 as I mentioned in this issue.

[Xhoenix]

@azurit Can you be so kind to mention what's wrong with this PR? Also, can you make any necessary changes if needed. I'd love to co-author a PR with you as it'll add a new cool badge to my profile. :) Thank you.

[Xhoenix]

[Wed Mar 29 18:29:52.246459 2023] [:error] [pid 1942141] [client 103.144.192.221:47256] [client 103.144.192.221] ModSecurity: Warning. Unconditional match in SecAction. [file "/etc/modsecurity/ coreruleset/rules/RESPONSE-980-CORRELATION.conf"] [line "96"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=361, detection=361, per_pl=60-301-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=191, XSS=150, RFI=5, LFI=0, RCE=15, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=361)"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "reporting"] [hostname "blog.jitendrapatro.me"] [uri "/wp-json/batch/v1"] [unique_id "ZCQ2SM0uH8VRekKG93vxHwAAAAE"], referer: https://blog.jitendrapatro.me/wp-admin/widgets.php

Wow, looks like there's still a lot work to do.

[azurit]

@azurit Can you be so kind to mention what's wrong with this PR? Also, can you make any necessary changes if needed. I'd love to co-author a PR with you as it'll add a new cool badge to my profile. :) Thank you.

We are discussing this, please stay tuned.

[azurit]

Hey @azurit, I'm currently looking for an InfoSec position and as a hoster if you come across the need of an InfoSec professional with my skills, then you can contact me. Thanks.

Thanks for the offer, i will contact you in case we will need someone.

Please use Slack for messages like this in the future, github is not siutable for communication of this type. Thank you for understanding!

[Xhoenix]

Deleted it.

[Xhoenix]

Also, how did your discussion went? What about this PR, should I push more FPs?

[Xhoenix]

@azurit Is there any progress on this? There are still a lot more FPs in WP.

[Xhoenix]

@azurit closing this PR. Will submit more FPs.