Having the same issue now in 2020. Worked one day. Didn't work the next. I'm using a shared hosting environment from Dreamhost running php 7.2 with phpBB 3.2.7 installed.
Here's what the apache error.log says:
Code: Select all
[Fri Sep 04 01:17:16.246929 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at ARGS:redirect. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:redirect: ./../adm/index.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
[Fri Sep 04 01:17:16.247219 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:redirect. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:redirect: ./../adm/index.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
[Fri Sep 04 01:17:16.247303 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:redirect. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:redirect: ./../adm/index.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
[Fri Sep 04 01:17:16.258898 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
[Fri Sep 04 01:17:16.259409 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Warning. Operator GE matched 7 at TX:inbound_anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=0,RFI=0,LFI=15,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0"] [tag "event-correlation"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
(I've manually stripped the potentially confidential ?sid=0123456789ABCDEF part just in case)
Is it possible configure (or modify if necessary) phpBB to not use relative urls like
./../ in redirects? Perhaps I can pre-set
PHPBB_ROOT_PATH somewhere?
Since I'm using a shared hosted environment I probably won't be able to change the OWASP rules, and I'd prefer not to disable all rules all together.