search

coreruleset / wordpress-rule-exclusions-plugin

Rule exclusion plugin for WordPress.
Apache License 2.0
13 stars 7 forks source link

Issue - async-upload.php #51

Closed baptiste-fourmont closed 3 months ago

baptiste-fourmont commented 3 months ago

Hello,

Context

When someone upload "X_Y_Z.pdf" file on /wp-admin/upload.php we got these error 400. (Example)

Extract of line -n 80 of modsecurity.conf

 SecRule REQBODY_ERROR "!@eq 0" \"

Error

ModSecurity: Access denied with code 400 (phase 2). Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) 

[file "modsecurity.conf"] [line "80"] [id "200002"] [rev ""] 
[msg "Failed to parse request body."] 
[data "Multipart parsing error: Multipart: Final boundary missing."] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [uri "/wp-admin/async-upload.php"] [ref "v2132,1"],
request: "POST /wp-admin/async-upload.php HTTP/1.1", referrer: "wp-admin/upload.php"
airween commented 3 months ago

Hi @baptiste-fourmont,

thanks for reaching us - I would risk this isn't a WordPress Exclusion plugin's issue.

Unfortunately this behavior can occur because of the ModSecurity's (default) rule with id 2000002.

Personally - if I don't forget it - I always remove this rule. If you don't want to remove it completely, you can create an exclusion:

SecRule REQUEST_URI "@beginsWith /wp-admin/async-upload.php" \
    "id:100001,\
    phase:1,\
    t:none,\
    nolog,\
    pass,\
    ctl:ruleRemoveById=2000002"

This will prevent to trigger the rule when you try to upload something through that endpoint.

baptiste-fourmont commented 3 months ago

Thanks you :)

We can maybe modify the rule: 9507790 to prevent it ?

SecRule REQUEST_URI "@beginsWith /wp-admin/async-upload.php" \
    "id:100001,\
    phase:1,\
    t:none,\
    nolog,\
    pass,\
    ctl:ruleRemoveById=200002"
airween commented 3 months ago

We can maybe modify the rule: 9507790 to prevent it ?

May be - I don't use WP excl plugin (or I use that in only very few places), and I haven't faced with this problem yet. (And as I wrote I used to remove that rule)

baptiste-fourmont commented 3 months ago

Thanks you @airween

Fix:

SecRule REQUEST_URI "@beginsWith /wp-admin/async-upload.php" \
    "id:100001,\
    phase:1,\
    t:none,\
    nolog,\
    pass,\
    ctl:ruleRemoveById=200002"