Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
The Old Man Posted April 23, 2017 Posted April 23, 2017 Hi, A few days ago I logged into my cloud VPS WHM and was prompted to install updated Modsec rules from OWASP: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS I installed Vendor rule set and all seemed okay but I've since become aware of complaints from my IPS members that they cannot post attachments without getting a 403 Error. I have been able to replicate the issue simply by trying to post a reply with an upload image attachments; I get a 403 Forbidden Error. I'm not too experienced with this but the Modsec Tools Hitlist in WHM shows no hits. I don't currently have root access. (I've also found incidentally I can't save a Wordpress theme CSS/templates, even if it contains no changes and I simply click on the update without seeing the same 403 Forbidden Error unless I switch Modsec off temporarily.) I disabled the rule REQUEST-913-SCANNER-DETECTION and the issue went away. I reactivated it and the 403 returned. I tried disabling rule REQUEST-933-APPLICATION-ATTACK-PHP and it didn't stop the 403. I disabled it and disabled the first one 913, but the 403 is still happening, even after a graceful server reboot. Has anyone else come across this? I don't want to turn Modsec off completely. Many thanks. Server config: Managed VPS with SSD CENTOS 6.9 x86_64 virtuozzo Cpanel and WHM 64 build 15 PHP7.0.17 48 CPUs 4GB RAM Load 0.03 (48 cpus) / Mem usage 21.93% mysql (5.6.35) Easy Apache 3 Running 4 sites (1+3 addon domains/sites):- 4.1.19.2 Forums, Chatbox, Gallery, Blogs and main website 4.1.19.2 Pages & Gallery 4.1.19.2 Gallery and main website 4.1.19.2 Gallery and Wordpress main site
The Old Man Posted April 23, 2017 Author Posted April 23, 2017 The log has just started showing entries in the Hitlist as I've tried to save replies with image attachments. The rules being triggered as false positives seem to be 949110, 980130 and 941160. some examples CRITICAL403 949110: Inbound Anomaly Score Exceeded (Total Score: 10) Request: POST /XxXxXx/topic/26727-test-post/?failedReply=1 Action Description: Access denied with code 403 (phase 2). Justification: Operator GE matched 5 at TX:anomaly_score. 980130: Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=10,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection Request: POST /XxXxXx/topic/26727-test-post/ Action Description: Warning. Justification: Operator GE matched 5 at TX:inbound_anomaly_score. 403 941160: NoScript XSS InjectionChecker: HTML Injection Request: POST /XxXXx/topic/26727-test-post/ Action Description: Warning. Justification: Pattern match "(?i)<[^\\w<>]*(?:[^<>\"'\\s]*:)?[^\\w<>]*(?:\\W*?s\\W*?c\\W*?r\\W*?i\\W*?p\\W*?t|\\W*?f\\W*?o\\W*?r\\W*?m|\\W*?s\\W*?t\\W*?y\\W*?l\\W*?e|\\W*?s\\W*?v\\W*?g|\\W*?m\\W*?a\\W*?r\\W*?q\\W*?u\\W*?e\\W*?e|(?:\\W*?l\\W*?i\\W*?n\\W*?k|\\W*?o\\W*?b\\W*?j\\W*?e\ ..." at ARGS:topic_comment_26727.
The Old Man Posted April 27, 2017 Author Posted April 27, 2017 Polite bump! Nobody else having these Modsec issues with the latest OWASP ruleset? Many thanks.
nodle Posted April 27, 2017 Posted April 27, 2017 I don't know if this will help or not, but I had a problem with Mod security when I changed hosts once, I couldn't get attachments to show. They had me add: SecFilterEngine Off SecFilterScanPOST Off Into my .htaccess file, which then allowed them to work. Don't know if it's the same problem that you are having but does sound familiar.
The Old Man Posted April 29, 2017 Author Posted April 29, 2017 Thanks nodle, I'll have to check that as I think it may leave the server less vulnerable.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.