search

coreruleset / wordpress-rule-exclusions-plugin

Rule exclusion plugin for WordPress.
Apache License 2.0
17 stars 7 forks source link

WordPress: wp_autosave false positive at PL2 #42

Closed theMiddleBlue closed 7 months ago

theMiddleBlue commented 2 years ago

Description

WordPress has an autosave function while creating a new post or page. It sends an HTTP request with the content of the excerpt to /wp-admin.php that can contains HTML tags. This lead to False Positives on different rules (see below) at PL2.

Audit Logs / Triggered Rule Numbers

example on CRS sandbox:

$ curl -s \
  -H 'x-crs-paranoia-level: 2' \
  -H 'x-backend: apache' \
  -H 'x-format-output: txt-matched-rules' \
  -d 'data[wp_autosave][excerpt]=<p><strong>25 Jun - 02 Jul 2023</strong></p>' \
  --path-as-is \
  "https://sandbox.coreruleset.org/wp-admin/admin-ajax.php"

941320 PL2 Possible XSS Attack Detected - HTML Tag Handler
942131 PL2 SQL Injection Attack: SQL Boolean-based attack detected
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 10)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=10, detection=10, per_pl=0-10-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=5, XSS=5, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0)

Confirmation

theMiddleBlue commented 2 years ago

I think it basically missing ARGS:data[wp_autosave][excerpt]

in this rule: https://github.com/coreruleset/wordpress-rule-exclusions-plugin/blob/master/plugins/wordpress-rule-exclusions-before.conf#L458-L480

lifeforms commented 2 years ago

Should this not be in https://github.com/coreruleset/wordpress-rule-exclusions-plugin rather than core?

I found this autosave also and already fixed it in my private fork. I would like to upstream my changes to the plugin, but to prevent merge conflicts, I'd prefer to start my PR after https://github.com/coreruleset/wordpress-rule-exclusions-plugin/pull/8 is merged. If you could address my review comments, I'll get to it ASAP!

lifeforms commented 2 years ago

By the way, this is coreruleset/wordpress-rule-exclusions-plugin#42 🥳

theMiddleBlue commented 2 years ago

Thanks @lifeforms

I think I missed your review comments :/ sorry, can you add it to the PR?

lifeforms commented 2 years ago

@theMiddleBlue Sure, no problem. I can make the additions and merge your PR, then start my one. Will probably be Saturday.

theMiddleBlue commented 2 years ago

Thanks @lifeforms or if you want to write your review on comment I can change my PR, I don't want to load you more since you're following other things