Rule exclusions while using the wordpress app for iOS! Desperately need help!

[Danrancan]

Hi,

I am very new to modsecurity, and have been struggling quite a bit with rule exclusions that are beyond the scope of examples shown in this tutorial from Linuxbabe.com. If this is the wrong place to make this post I apologize in advance. I am running a Wordpress LEMP Server, and my issue is specific to getting the iOS Wordpress app working properly, without modsecurity flagging posts from the iOS Wordpress app as attacks. Also, note, I am using the OSWAP ruleset with modsecurity.

The core issues I am having with my wordpress app, are that when turning plugin's on and off from the iOS app, modsecurity denies that action. The second (and more important) issue I am having with the iOS app is making posts from the iOS app. Specifically I am having trouble making posts that have a single picture, or a picture gallery in the iOS app.

Initially, the iOS app would not let me make any posts whatsoever, including plain text posts. As of now, I have managed to create a rule exclusion to allow plain text posts, however, that is as far as I have gotten, and any other attempts to unblock (with rule exclusions) picture uploads and gallery posts containing photos, have been a failure. Furthermore any attempts to unblock plugin use and activation from the iOS Wordpress app have also been a failure.

I have been tinkering with this for about 2 months now, and am resorting to posting on here in a desperate attempt for a pro to look at my logs and possibly help me create the proper rule exclusions to get my iOS app fully working.

Problem 1) Solved

To begin, these are the logs that were created when trying to make a TEXT BASED POST on the Wordpress iOS app: https://pastebin.com/N0UugaAc

After looking at these logs and grasping a mild understanding from linuxbabe.com's tutorial, i created the following rule in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file:

# Allow iOS app to create and save TEXT BASED posts. This rule does not allow plugins to work yet. WORKING!
SecRule REQUEST_URI "@streq /xmlrpc.php" "id:1030,phase:1,ctl:ruleRemoveById=941180"

This rule alone successfully allows iOS to make text based posts, but does not allow posting photos or uploading photos. Problem 1 solved.

Problem 2) Unsolved

The next problem I am having is trying to upload photos (multiple as well as single) and make a photo based post from the iOS app. These are the logs that were created when trying to make a TEXT BASED POST on the Wordpress iOS app:

https://pastebin.com/nN7h5stb

I have tried the following rules exclusions to allow multi-photo blog posts in wordpress, and none have worked thus far.

Allow iOS Wordpress app to create and save picture based posts.

SecRule REQUEST_URI "@streq /xmlrpc.php" "id:1031,phase:1,ctl:ruleRemoveById=941100"
SecRule REQUEST_URI "@streq /xmlrpc.php" "id:1033,phase:1,ctl:ruleRemoveByID=941160"
SecRule REQUEST_URI "@streq /xmlrpc.php" "id:1034,phase:1,ctl:ruleRemoveByID=932140"

Could someone please do me a big great favor and take a look at the above logs, and help me create a proper rule exclusion for posting photos with the Wordpress iOS app?

Problem 3) Unsolved

The Final exclusion I need is to allow the wordpress iOS app to turn on and off plugins. Currently plugins are on. Below is the log posted when trying to turn a plugin off....

https://pastebin.com/jsbC2HBd

I have tried the following rules exclusions to plugin activation and deactivation (Specifically the Flamingo plugin) from within the iOS Wordpress App, and none have worked thus far.

SecRule REQUEST_URI "@within /wp-json/wp/v2/plugins/flamingo/flamingo" "id:1040,phase:2,ctl:ruleRemoveById=1642837425"

Could someone, again, please do me a big great favor and take a look at the above logs, and help me create a proper rule exclusion for activating and deactivating plugins in the Wordpress iOS app?

Super sorry for the long post, and again, sorry if this has been posted in the wrong place. I'm just desperate at this point. Thank you supremely to any and all people who can help me out here with the proper exclusions. Thank you thank you thank you!

• Dan

[airween]

Hi @Danrancan,

first of all, I'm not sure this is the right place for your issue. Looks like you've ran into a rule-set based problem, not the engine, even more not the connector issue.

Based on your shared logs, I think the best place for your question is the coreruleset GH page.

Before we step away, let me show you our repository: https://modsecurity.digitalwave.hu/ - with this, you can avoid the "painful" of the whole build procedure. We support Ubuntu 18.04 and 20.04 (LTS versions) (and of course all supported Debian releases).

Problem 1) Solved

okay, we don't need this one :)

Problem 2) Unsolved Problem 3) Unsolved

I do not want to solve your issue(s) here, but it seems to me that the logs on the shared link are not consistent. I mean I see in the error log "Matched Data: zgrab found within REQUEST_HEADERS:User-Agent: mozilla/5.0 zgrab/0.x"], but in the given audit log I see user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 wp-iphone/19.0 header. So, if you open an issue under coreruleset, please try to clarify the shared logs.

[Danrancan]

Hey @airween, I do apologize for posting this in the wrong place. I suspected I might be doing so but didn't know of what other avenue of information I should take. So thank you for clarifying this and pointing me toward the coreruleset github page. Infact, thank you for the quick and concise reply in general. I will definitely check out the links you posted and do some research.

UPDATE: I just checked out the link for precompiled modsecurity packages from https://modsecurity.digitalwave.hu. Unfortunately, it looks like all of the packages are compiled only for the AMD64 architecture, and I am actually working on a Raspberry Pi 4 (aarch64) running Ubuntu Server 20.04. So I still need to compile the module myself. However, I would like to contribute (if possible), to the digitalwave.hu cause, and upload my compiled modules for the raspberry pi 4 to the site to freely share them with others. I figure if I'm compiling these packages with every update anyway, I might as well share them for the Raspberry Pi Community to use. Is this possible, and if so, where would I start with this? A point in the right direction would be great.

Lastly, what exactly do you mean by the logs not being consistent? I don't exactly know what you mean by clarifying the shared logs. Did I not obtain these logs correctly or obtain the correct logs somehow? To acquire these logs, I just used the command sudo tail -f /var/log/modsec_audit.log, and then attempted to make a post on my iOS app, copying and pasting all of the log info that the tail command outputted. Is there a better way of doing this? Again, sorry for posting in the wrong place, and thank you for your time and help!

[airween]

Hi @Danrancan,

Hey @airween, I do apologize for posting this in the wrong place.

I think it's no problem :)

I suspected I might be doing so but didn't know of what other avenue of information I should take. So thank you for clarifying this and pointing me toward the coreruleset github page. Infact, thank you for the quick and concise reply in general. I will definitely check out the links you posted and do some research.

You're welcome :)

UPDATE: I just checked out the link for precompiled modsecurity packages from https://modsecurity.digitalwave.hu. Unfortunately, it looks like all of the packages are compiled only for the AMD64 architecture, and I am actually working on a Raspberry Pi 4 (aarch64) running Ubuntu Server 20.04.

Yes, currently we support only amd64 arch. I have to tell you, it's a bit hard to maintain so many packages for so many systems (3 Debian and 2 Ubuntu). And the main goal is try to keep to update each packages (mod_security2, libmodsecurity3), quasi continuously.

So I still need to compile the module myself.

Yes, definitely. I'm sorry. (Once I started to build the packages for i386, but I really don't have enough time for that, so I removed them.)

However, I would like to contribute (if possible), to the digitalwave.hu cause, and upload my compiled modules for the raspberry pi 4 to the site to freely share them with others. I figure if I'm compiling these packages with every update anyway, I might as well share them for the Raspberry Pi Community to use. Is this possible, and if so, where would I start with this? A point in the right direction would be great.

Oh, sounds great! I have to figure out how can we integrate those packages. Please contact me in private, or if it is possible, I can reach you through address what you gave on your GH page.

Lastly, what exactly do you mean by the logs not being consistent? I don't exactly know what you mean by clarifying the shared logs.

Ah, sorry, I didn't realize that the shared info (like this) contains not just one transaction.

Take a look these lines from there:

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `scanners-user-agents.data' against variable `REQUEST_HEADERS:User-Agent' (Value: `Mozilla/5.0 zgrab/0.x' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id "913100"] [rev ""] [msg "Found User-Agent associated with security scanner"] [data "Matched Data: zgrab found within REQUEST_HEADERS:User-Agent: mozilla/5.0 zgrab/0.x"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation-scanner"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/118/224/541/310"] [tag "PCI/6.5.10"] [hostname "10.10.10.2"] [uri "/owa/auth/logon.aspx"] [unique_id "1644102303"] [ref "o12,5v94,21t:lowercase"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `149.28.125.6' ) [file "/etc/nginx/modsec/coreruleset-3.3.2/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "718"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "149.28.125.6"] [severity "4"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "10.10.10.2"] [uri "/owa/auth/logon.aspx"] [unique_id "1644102303"] [ref "o0,12v69,12"]

In the first line, the UA header is mozilla/5.0 zgrab/0.x, but I can't find it in the audit.log. The second line contains the host header as 149.28.125.6, which is also missing from the audit.log. It seems to me that these lines are not necessary.

I just used the command sudo tail -f /var/log/modsec_audit.log, and then attempted to make a post on my iOS app, copying and pasting all of the log info that the tail command outputted. Is there a better way of doing this?

Yes, check the transaction id, and share only those. Please note, that an audit.log entry always starts with section A and finishes with Z - these are mandatory fields. The previous part of the given boundary is the unique id of the transaction. The engineer who wants to solve the issue needs the full transaction log entry - but not more.

[martinhsv]

One thing I noticed with Problem 3, that appeared to not be highlighted yet in the thread, is that you have used ctl:ruleRemoveById=1642837425

That doesn't look like a CRS rule id. Is it possible that you inadvertently used the unique_id from the audit log message where you first saw this?

[Danrancan]

One thing I noticed with Problem 3, that appeared to not be highlighted yet in the thread, is that you have used ctl:ruleRemoveById=1642837425

That doesn't look like a CRS rule id. Is it possible that you inadvertently used the unique_id from the audit log message where you first saw this?

Ahh yes, this is possible! Thanks for the good eye! I will take a look at this and make corrections if necessary. P.S. I have emailed you from my private email address. Hope you got it.

Thanks!

[martinhsv]

I did not receive any private email message. If there is something that cannot be shared in github because of security issues, there is an email address https://github.com/SpiderLabs/ModSecurity#security-issue . I am one of the recipients for that address.

[martinhsv]

With no further activity, I'm going to go ahead and close this.