search

coreruleset / wordpress-rule-exclusions-plugin

Rule exclusion plugin for WordPress.
Apache License 2.0
13 stars 7 forks source link

False positives with WordPress 6.3.1 and full site editing #16

Closed paulschreiber closed 1 year ago

paulschreiber commented 1 year ago

Summary

When attempting to save edits to after changing styles using the full site editor (/wp-admin/site-editor.php?path=%2Fwp_global_styles), seven errors are displayed.

There are five:

[file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"]

And one each of these two:

[file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] 
[file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"]

Full log:

[Tue Oct 10 00:03:34.648190 2023] [security2:error] [pid 1325651:tid 139687177930432] [remote XXX.XXX.XXX.XXX:62076] [client XXX.XXX.XXX.XXX] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'f(n)' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: f(n) found within ARGS:styles.blocks.core/post-date.typography.fontFamily: var(--wp--preset--font-family--source-serif-pro)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "xxxxxxxxx.org"] [uri "/index.php"] [unique_id "ZSTNFkPkvf5768haEecC1wAA1xM"], referer: https://xxxxxxxxx.org/wp-admin/site-editor.php?path=%2Fwp_global_styles
[Tue Oct 10 00:03:34.648359 2023] [security2:error] [pid 1325651:tid 139687177930432] [remote XXX.XXX.XXX.XXX:62076] [client XXX.XXX.XXX.XXX] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'f(n)' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: f(n) found within ARGS:styles.blocks.core/post-terms.typography.fontFamily: var(--wp--preset--font-family--source-serif-pro)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "xxxxxxxxx.org"] [uri "/index.php"] [unique_id "ZSTNFkPkvf5768haEecC1wAA1xM"], referer: https://xxxxxxxxx.org/wp-admin/site-editor.php?path=%2Fwp_global_styles
[Tue Oct 10 00:03:34.648516 2023] [security2:error] [pid 1325651:tid 139687177930432] [remote XXX.XXX.XXX.XXX:62076] [client XXX.XXX.XXX.XXX] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'f(n)' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: f(n) found within ARGS:styles.elements.button.color.text: var(--wp--preset--color--base)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "xxxxxxxxx.org"] [uri "/index.php"] [unique_id "ZSTNFkPkvf5768haEecC1wAA1xM"], referer: https://xxxxxxxxx.org/wp-admin/site-editor.php?path=%2Fwp_global_styles
[Tue Oct 10 00:03:34.648662 2023] [security2:error] [pid 1325651:tid 139687177930432] [remote XXX.XXX.XXX.XXX:62076] [client XXX.XXX.XXX.XXX] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'f(n)' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: f(n) found within ARGS:styles.elements.button.:visited.color.text: var(--wp--preset--color--base)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "xxxxxxxxx.org"] [uri "/index.php"] [unique_id "ZSTNFkPkvf5768haEecC1wAA1xM"], referer: https://xxxxxxxxx.org/wp-admin/site-editor.php?path=%2Fwp_global_styles
[Tue Oct 10 00:03:34.648778 2023] [security2:error] [pid 1325651:tid 139687177930432] [remote XXX.XXX.XXX.XXX:62076] [client XXX.XXX.XXX.XXX] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 'f(n)' [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: f(n) found within ARGS:styles.elements.heading.typography.fontFamily: var(--wp--preset--font-family--source-serif-pro)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [hostname "xxxxxxxxx.org"] [uri "/index.php"] [unique_id "ZSTNFkPkvf5768haEecC1wAA1xM"], referer: https://xxxxxxxxx.org/wp-admin/site-editor.php?path=%2Fwp_global_styles
[Tue Oct 10 00:03:34.656891 2023] [security2:error] [pid 1325651:tid 139687177930432] [remote XXX.XXX.XXX.XXX:62076] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "xxxxxxxxx.org"] [uri "/index.php"] [unique_id "ZSTNFkPkvf5768haEecC1wAA1xM"], referer: https://xxxxxxxxx.org/wp-admin/site-editor.php?path=%2Fwp_global_styles
[Tue Oct 10 00:03:34.657520 2023] [security2:error] [pid 1325651:tid 139686926149312] [client XXX.XXX.XXX.XXX:62076] [client XXX.XXX.XXX.XXX] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 25 - SQLI=25,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 25, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "xxxxxxxxx.org"] [uri "/index.php"] [unique_id "ZSTNFkPkvf5768haEecC1wAA1xM"], referer: https://xxxxxxxxx.org/wp-admin/site-editor.php?path=%2Fwp_global_styles
theseion commented 1 year ago

Thanks @paulschreiber. Looks like we need to disable SQL injection detection on the site editor. Just to be sure, you're using v4.0 with the new plugin architecture, correct?

paulschreiber commented 1 year ago

I am using 3.3.4 — I installed the the modsecurity-crs 3.3.4-1 .deb on Ubuntu 23.04.

theseion commented 1 year ago

I see. I'll check whether this is already fixed in 4.0.

theseion commented 1 year ago

It looks like this is still an issue. I'm working on a PR but I need some help. Could you possibly provide the contents of an actual request? I need to know the value of the Content-Type header and the format of the request (JSON in body, URL encoded in body, ...).

paulschreiber commented 1 year ago

Content-Type is application/json.

HTTP payload:

{"id":50,"styles":{"blocks":{"core/comment-author-name":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}},"core/comment-date":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"},"typography":{"textDecoration":"underline"}}}}},"core/comment-edit-link":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}},"core/comments-pagination":{"elements":{"link":{"typography":{"textDecoration":"underline"}}}},"core/image":{"filter":{"duotone":"var(--wp--preset--duotone--default-filter)"}},"core/navigation":{"elements":{"link":{":active":{"typography":{"textDecoration":"underline dashed"}},"color":{"text":"var(--wp--preset--color--primary)"},"typography":{"textDecoration":"underline"}}}},"core/paragraph":{"color":{"text":"var(--wp--preset--color--contrast)"},"elements":{"link":{":hover":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}},"core/post-content":{"elements":{"link":{"color":{"text":"var(--wp--preset--color--primary)"}}}},"core/post-date":{"elements":{"link":{"typography":{"textDecoration":"none","fontStyle":"italic"}}}},"core/post-featured-image":{"filter":{"duotone":"var(--wp--preset--duotone--default-filter)"}},"core/post-title":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"},"typography":{"textDecoration":"underline"}},"typography":{"textDecoration":"underline"}}}},"core/query-pagination":{"elements":{"link":{"typography":{"textDecoration":"underline"}}}},"core/separator":{"color":{"text":"var(--wp--preset--color--secondary)"}},"core/site-title":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--primary)"}}}},"typography":{"fontStyle":"italic","fontWeight":"700"}}},"color":{"gradient":"var(--wp--preset--gradient--dots)"},"elements":{"button":{":active":{"color":{"background":"var(--wp--preset--color--secondary)","gradient":"none"}},":focus":{"color":{"gradient":"var(--wp--preset--gradient--secondary-primary)"}},":hover":{"color":{"gradient":"var(--wp--preset--gradient--secondary-primary)"}},":visited":{"color":{"text":"var(--wp--preset--color--base)"}},"border":{"radius":"5px"},"color":{"gradient":"var(--wp--preset--gradient--primary-secondary)","text":"var(--wp--preset--color--base)"}},"h1":{"color":{"text":"var(--wp--preset--color--contrast)"}},"h2":{"color":{"text":"var(--wp--preset--color--contrast)"}},"h3":{"color":{"text":"var(--wp--preset--color--primary)"}},"h4":{"color":{"text":"var(--wp--preset--color--primary)"}},"h5":{"color":{"text":"var(--wp--preset--color--primary)"}},"h6":{"color":{"text":"var(--wp--preset--color--primary)"}},"heading":{"color":{"text":"var(--wp--preset--color--primary)"}},"link":{"color":{"text":"var(--wp--preset--color--primary)"},":hover":{"color":{"text":"var(--wp--preset--color--tertiary)"}},":focus":{"color":{"text":"var(--wp--preset--color--tertiary)"}},":active":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}},"settings":{"color":{"duotone":{"theme":[{"colors":["#222828","#9EF9FD"],"slug":"default-filter","name":"Default filter"}]},"gradients":{"theme":[{"gradient":"linear-gradient(180deg, var(--wp--preset--color--primary) 0%,var(--wp--preset--color--secondary) 100%)","name":"Primary to Secondary","slug":"primary-secondary"},{"gradient":"linear-gradient(180deg, var(--wp--preset--color--secondary) 0%,var(--wp--preset--color--primary) 100%)","name":"Secondary to Primary","slug":"secondary-primary"},{"gradient":"linear-gradient(180deg, var(--wp--preset--color--primary) 0%,var(--wp--preset--color--tertiary) 100%)","name":"Tertiary to Secondary","slug":"tertiary-secondary"},{"gradient":"linear-gradient(180deg, var(--wp--preset--color--tertiary) 0%,var(--wp--preset--color--primary) 100%)","name":"Tertiary to Primary","slug":"tertiary-primary"},{"gradient":"linear-gradient(180deg, var(--wp--preset--color--base) 0%,var(--wp--preset--color--primary) 350%)","name":"Base to Primary","slug":"base-primary"},{"gradient":"radial-gradient(circle at 5px 5px,#0c0d0d70 2px,#ffffff00 0px,#ffffff00 0px) 0 0 / 8px 8px, linear-gradient(180deg, var(--wp--preset--color--base) 0%,#000000 200%)","name":"Dots","slug":"dots"}]},"palette":{"theme":[{"color":"#222828","name":"Base","slug":"base"},{"color":"#ffffff","name":"Contrast","slug":"contrast"},{"color":"#53ED85","name":"Primary","slug":"primary"},{"color":"#9EF9FD","name":"Secondary","slug":"secondary"},{"color":"#D8E202","name":"Tertiary","slug":"tertiary"}]}}}}

Here's the data from Copy as cURL:

curl 'https://XXXXX.org/index.php?rest_route=%2Fwp%2Fv2%2Fglobal-styles%2F50&_locale=user' \
  -H 'authority: XXXXX.org' \
  -H 'accept: application/json, */*;q=0.1' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'content-type: application/json' \
  -H 'cookie: wordpress_test_cookie=xxxxxx \
  -H 'origin: https://XXXXX.org' \
  -H 'referer: https://XXXXX.org/wp-admin/site-editor.php?path=%2Fwp_global_styles' \
  -H 'sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36' \
  -H 'x-http-method-override: PUT' \
  -H 'x-wp-nonce: dbaa844df9' \
  --data-raw '{"id":50,"styles":{"blocks":{"core/comment-author-name":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}},"core/comment-date":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"},"typography":{"textDecoration":"underline"}}}}},"core/comment-edit-link":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}},"core/comments-pagination":{"elements":{"link":{"typography":{"textDecoration":"underline"}}}},"core/image":{"filter":{"duotone":"var(--wp--preset--duotone--default-filter)"}},"core/navigation":{"elements":{"link":{":active":{"typography":{"textDecoration":"underline dashed"}},"color":{"text":"var(--wp--preset--color--primary)"},"typography":{"textDecoration":"underline"}}}},"core/paragraph":{"color":{"text":"var(--wp--preset--color--contrast)"},"elements":{"link":{":hover":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}},"core/post-content":{"elements":{"link":{"color":{"text":"var(--wp--preset--color--primary)"}}}},"core/post-date":{"elements":{"link":{"typography":{"textDecoration":"none","fontStyle":"italic"}}}},"core/post-featured-image":{"filter":{"duotone":"var(--wp--preset--duotone--default-filter)"}},"core/post-title":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"},"typography":{"textDecoration":"underline"}},"typography":{"textDecoration":"underline"}}}},"core/query-pagination":{"elements":{"link":{"typography":{"textDecoration":"underline"}}}},"core/separator":{"color":{"text":"var(--wp--preset--color--secondary)"}},"core/site-title":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--primary)"}}}},"typography":{"fontStyle":"italic","fontWeight":"700"}}},"color":{"gradient":"var(--wp--preset--gradient--dots)"},"elements":{"button":{":active":{"color":{"background":"var(--wp--preset--color--secondary)","gradient":"none"}},":focus":{"color":{"gradient":"var(--wp--preset--gradient--secondary-primary)"}},":hover":{"color":{"gradient":"var(--wp--preset--gradient--secondary-primary)"}},":visited":{"color":{"text":"var(--wp--preset--color--base)"}},"border":{"radius":"5px"},"color":{"gradient":"var(--wp--preset--gradient--primary-secondary)","text":"var(--wp--preset--color--base)"}},"h1":{"color":{"text":"var(--wp--preset--color--contrast)"}},"h2":{"color":{"text":"var(--wp--preset--color--contrast)"}},"h3":{"color":{"text":"var(--wp--preset--color--primary)"}},"h4":{"color":{"text":"var(--wp--preset--color--primary)"}},"h5":{"color":{"text":"var(--wp--preset--color--primary)"}},"h6":{"color":{"text":"var(--wp--preset--color--primary)"}},"heading":{"color":{"text":"var(--wp--preset--color--primary)"}},"link":{"color":{"text":"var(--wp--preset--color--primary)"},":hover":{"color":{"text":"var(--wp--preset--color--tertiary)"}},":focus":{"color":{"text":"var(--wp--preset--color--tertiary)"}},":active":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}},"settings":{"color":{"duotone":{"theme":[{"colors":["#222828","#9EF9FD"],"slug":"default-filter","name":"Default filter"}]},"gradients":{"theme":[{"gradient":"linear-gradient(180deg, var(--wp--preset--color--primary) 0%,var(--wp--preset--color--secondary) 100%)","name":"Primary to Secondary","slug":"primary-secondary"},{"gradient":"linear-gradient(180deg, var(--wp--preset--color--secondary) 0%,var(--wp--preset--color--primary) 100%)","name":"Secondary to Primary","slug":"secondary-primary"},{"gradient":"linear-gradient(180deg, var(--wp--preset--color--primary) 0%,var(--wp--preset--color--tertiary) 100%)","name":"Tertiary to Secondary","slug":"tertiary-secondary"},{"gradient":"linear-gradient(180deg, var(--wp--preset--color--tertiary) 0%,var(--wp--preset--color--primary) 100%)","name":"Tertiary to Primary","slug":"tertiary-primary"},{"gradient":"linear-gradient(180deg, var(--wp--preset--color--base) 0%,var(--wp--preset--color--primary) 350%)","name":"Base to Primary","slug":"base-primary"},{"gradient":"radial-gradient(circle at 5px 5px,#0c0d0d70 2px,#ffffff00 0px,#ffffff00 0px) 0 0 / 8px 8px, linear-gradient(180deg, var(--wp--preset--color--base) 0%,#000000 200%)","name":"Dots","slug":"dots"}]},"palette":{"theme":[{"color":"#222828","name":"Base","slug":"base"},{"color":"#ffffff","name":"Contrast","slug":"contrast"},{"color":"#53ED85","name":"Primary","slug":"primary"},{"color":"#9EF9FD","name":"Secondary","slug":"secondary"},{"color":"#D8E202","name":"Tertiary","slug":"tertiary"}]}}}}' \
  --compressed
theseion commented 1 year ago

Thanks. I've created a PR (#16) with a fix. Would you mind testing it? It's for v4.0 but you should be able to simply copy the new rule.

paulschreiber commented 1 year ago

The PR is #18 (#16 is this issue). I have confirmed that both your version of the rule and @azurit's version work correctly/resolve the problem.

theseion commented 1 year ago

Thanks @paulschreiber, much appreciated!

theseion commented 1 year ago

The PR has been merged.