search

usmannasir / cyberpanel

Cyber Panel - The hosting control panel for OpenLiteSpeed
GNU General Public License v3.0
1.48k stars 577 forks source link

Cannot access 403 Forbiden MODSECURITY RULES #1181

Closed eakteam closed 5 months ago

eakteam commented 5 months ago

If we activate OWASP ModSecurity Core Rules some menus on cyberpanel like: Website->List->Manage, Access Logs, File Manager and more cannot be accessed with 403 Forbiden.

This is the error shows at Logs->Error Logs

2024-01-13 21:31:21.644932 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Within' with parameter `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (150 characters omitted)' against variable `TX:EXTENSION' (Value: `.com/' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1015"] [id "920440"] [rev ""] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "cp.eakteam.com"] [uri "/websites/eakteam.com"] [unique_id "170518148174.130653"] [ref "o7,4o8,3v14,11o71,5t:urlDecodeUni,t:lowercase"]
2024-01-13 21:31:21.654301 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security]Intervention status code triggered: 403
2024-01-13 21:31:21.654340 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security]Log Message: [client 109.234.233.130] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cp.eakteam.com"] [uri "/websites/eakteam.com"] [unique_id "170518148174.130653"] [ref ""]

It's the rule number 18 -> REQUEST-949-BLOCKING-EVALUATION which is causing the 403 Forbiden

usmannasir commented 5 months ago

Wao, how is this possible, because both run on different server. i ll check

eakteam commented 5 months ago

@usmannasir If you want i can give you TeamViewer support or Anydesk to see it yourself in real-time, also about the duplicate dns record as i said in another bug report

usmannasir commented 5 months ago

Kindly share a small video recording it is not possible for me to go on TV/AD.

As I can not reproduce on my end.

eakteam commented 5 months ago

@usmannasir i am unable to create video at the moment but please note that i use proxy to access cyberpanel without port 8090 via subdomain name and port 8090 closed on firewall with this configuration:

nano /usr/local/lsws/conf/httpd_config.conf

extprocessor cyberpanel {
  type                    proxy
  address                 https://panel.example.com:8090
  maxConns                100
  pcKeepAliveTimeout      60
  initTimeout             60
  retryTimeout            0
  respBuffer              0
}

Maybe this is the cause?

usmannasir commented 5 months ago

yes definately because then traffic pass through your main server. In this case we can not do anything. Because access logs/file manager do contain that stuff.