search

coreruleset / wordpress-rule-exclusions-plugin

Rule exclusion plugin for WordPress.
Apache License 2.0
13 stars 7 forks source link

WordPress false positive when saving latest LiteSpeed cache settings #34

Closed dfumagalli closed 8 months ago

dfumagalli commented 8 months ago

Hello,

On a completely new WordPress website I installed today (Apache 2, PHP-FPM 8.2, Ubuntu) I installed the LiteSpeed cache plugin (v6.1). It's quite popular and works well.

Everything worked correctly, including connecting to their API server and saving that settings page and so on.

However, when I got to the "LiteSpeed Cache Setting" page ( https://www.REDACTED.com/wp-admin/admin.php?page=litespeed-cache ) and tried saving the settings, I got a 403 error.

Here's the quite convoluted pattern the settings page activated:

[Sat Mar 02 12:41:29.712297 2024] [:error] [pid 32198] [client REDACTED:52952] [client REDACTED] ModSecurity: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\\\s+(?:\\\\/|\\\\w)[^\\\\s]*(?:\\\\s+http\\\\/\\\\d|[\\\\r\\\\n])" at ARGS:object-global_groups. [file "/usr/share/modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "52"] [id "921110"] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: options\\x0d\\x0asite-lookup\\x0d found within ARGS:object-global_groups: users\\x0d\\x0auserlogins\\x0d\\x0auseremail\\x0d\\x0auserslugs\\x0d\\x0ausermeta\\x0d\\x0auser_meta\\x0d\\x0asite-transient\\x0d\\x0asite-options\\x0d\\x0asite-lookup\\x0d\\x0asite-details\\x0d\\x0ablog-lookup\\x0d\\x0ablog-details\\x0d\\x0ablog-id-cache\\x0d\\x0arss\\x0d\\x0aglobal-posts\\x0d\\x0aglobal-cache-test"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/33"][hostname "www.REDACTED.com"] [uri "/wp-admin/admin.php"] [unique_id "ZeMeeYc0AlF7wAqgVbsnJgAAAAA"], referer: https://www.REDACTED.com/wp-admin/admin.php?page=litespeed-cache

EsadCetiner commented 8 months ago

@dfumagalli Unfortunately, WordPress plugins aren't supported by this plugin. You'll have to tune any false positive you encounter yourself see here on how to handle false positives.

However, I can provide you a rule exclusion on how to handle this specific false positive.

# Opening lightspeed cache plugin settings page
SecRule REQUEST_FILENAME "@streq /wp-admin/admin.php" \
    "id:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=921110;ARGS:object-global_groups"

Please let me know if you need any more help.

dfumagalli commented 8 months ago

Thank you!

dfumagalli commented 8 months ago

I have been too quick to close the issue. Now I get this similar error about BODY:

Message: Warning. Pattern match "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+(?:\\/|\\w)[^\\s]*(?:\\s+http\\/\\d|[\\r\\n])" at REQUEST_BODY. [file "/usr/share/modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "52"] [id "921110"] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: options\x0d\x0asite-lookup\x0d found within REQUEST_BODY: lscwp_ctrl=save-settings&lscwp_nonce=ded951b393&_wp_http_referer=/wp-admin/admin.php?page=litespeed-cache&_settings-enroll[]=cache&cache=1&_settings-enroll[]=cache-priv&cache-priv=1&_settings-enroll[]=cache-commenter&cache-commenter=1&_settings-enroll[]=cache-rest&cache-rest=1&_settings-enroll[]=cache-page_login&cache-page_login=1&_settings-enroll[]=cache-favicon&cache-favicon=1&_settings-enroll[]=cache-resources&cache-resources=1&_s..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level"] Sadly I have no idea about how to extrapolate this rule using the code you suggested above.

azurit commented 8 months ago

@dfumagalli Try this exclusion rule from my private collection:

SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" \
    "id:9990252,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    chain"
    SecRule ARGS:page "@rx ^(?:litespeed-page_optm|litespeed-cache|litespeed-cache-options)$" \
        "t:none,\
        chain"
        SecRule &ARGS:page "@eq 1" \
            "t:none,\
            ctl:ruleRemoveTargetById=921110;REQUEST_BODY,\
            ctl:ruleRemoveTargetById=941130;ARGS:media-lazy_placeholder,\
            ctl:ruleRemoveTargetById=941170;ARGS:media-lazy_placeholder,\
            ctl:ruleRemoveTargetById=921110;ARGS:object-global_groups,\
            ctl:ruleRemoveTargetById=941100;ARGS:media-placeholder_resp_svg,\
            ctl:ruleRemoveTargetById=941130;ARGS:media-placeholder_resp_svg,\
            ctl:ruleRemoveTargetById=941160;ARGS:media-placeholder_resp_svg"
dfumagalli commented 8 months ago

@dfumagalli Try this exclusion rule from my private collection:

Sadly your script did not work for me.

But I have "borrowed" some of your setup and rummaged through various websites and I finally managed to cobble together what worked on my website:

# Lightspeed cache plugin settings page - BEGIN
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin.php" \
    "id:117, \
    phase:1, \
    t:none, \
    nolog, \
    pass, \
    chain"
    SecRule ARGS:page "@rx ^(?:litespeed-page_optm|litespeed-cache|litespeed-cache-options)$" \
    "t:none, \
    ctl:ruleRemoveById=921110"
# Lightspeed cache plugin settings page - END