search

getgrav / grav

Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS powered by PHP, Markdown, Twig, and Symfony
https://getgrav.org
MIT License
14.48k stars 1.4k forks source link

[BUG] grav-tabs-state generates a 403 error with mod_security #2419

Open ganar opened 5 years ago

ganar commented 5 years ago

The mod_security configuration in Apache, on the CWP7.admin, generates a 403 access denied error when running Grav CMS:

[Thu Mar 21 15:40:47.967502 2019] [:error] [pid 21727:tid 140715786946304] [client 186.67.206.59:57900] [client 186.67.206.59] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\~\!\@\#\$\%\^\&\\(\)\-\+\=\{\}\[\]\|\:\;\"\'\\xc2\xb4\\xe2\x80\x99\\xe2\x80\x98\`\<\>].?){8,}" at REQUEST_COOKIES:grav-tabs-state. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \x22 found within REQUEST_COOKIES:grav-tabs-state: {\x22tab-content.options.advanced\x22:\x22data.content\x22,\x22tab-content.options\x22:\x22data.content\x22,\x22tab-content.options.advanced.blog\x22:\x22data.options\x22}"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "xxxxxxxx.com"] [uri "/favicon.ico"] [unique_id "XJOwf0cQATwA6mgjE8O7AwAAANc"], referer: http://xxxxxxxx.com/

This error only happens when visiting the website a second time, making it very hard to solve.

I manage to solve the issue setting up a special omission to the mod_security rule for grav, but this is only posible if you have access to the apache configuration.

I think this must be solved in the cookie.

w00fz commented 5 years ago

That cookie is, as the name states, to remember and restore the active tab in admin.

Of course nothing malicious can happen with that nor is to be considered insecure but I get the annoyance of it being logged.

The value I’m storing is in json format, do you think base64 encoding it all would prevent mod security from yelling?

ganar commented 5 years ago

Of course nothing malicious can happen with that nor is to be considered insecure but I get the annoyance of it being logged.

Maybe I'm not being clear: the entire site —admin and frontend— gives an error 403 (access denied).

ModSecurity: Access denied with code 403

I was able to reproduce the error in the same server with two different installations of Grav. Readers from Argentina and Brazil got in touch with me to tell me that the website was down.

The value I’m storing is in json format, do you think base64 encoding it all would prevent mod security from yelling?

Maybe, look at the pattern match. I think it does not like the special characters

Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}