Apache Mod_Security OWASP false posistive on ACP use

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman »

thecoalman wrote: Thu Jul 26, 2018 10:59 am I'm using mod_security myself with the OWASP rule set and have had no issues with it.
To elaborate and answer your PM it's default install of mod_security provided by WHM/Cpanel and the OWASP rule set is curated by Cpanel. I'm also using Cloudflare which has it's own implementation of the OWASP rules. That rule that is causing you trouble is most definitely being triggered on both Cloudflare and my server but it's only hitting on attempted exploits. I have no issues getting into the ACP and my IP is not whiteleisted anywhere.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

Maybe I am confuzed. The ModSeurity Core Ruleset project that comes preinstalled with cpanel will always block the ACP because of the ../../adm/ reference ? This will always require a exclusion for the ACP to work on any CRS with the default rules that come with cpanel ?

Thats what I got from the description Paul ( Infrastructure Team Leader ) said ?
Paul wrote: Fri Jul 27, 2018 7:00 am That indeed seems to be a false positive, phpBB uses always the board root as starting point for redirects. The admin panel is in a subdirectory at adm/. To redirect from the login form to the acp it included a redirect in the login path which is ./../adm/ The rule matches on that by thinking there is a path traversal issue, but it is actually a valid redirect within phpBB.
Maybe your saying this should be the responsibility of cpanel to maintain a list of exclusions for phpBB ? I think the people working the CRS project want to work up some exclusion rules but need some contact with phpBB to do this, so my PM was to help them look to make this contact with phpBB.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman »

xymox wrote: Sat Jul 28, 2018 11:37 pm Maybe I am confuzed. The ModSeurity Core Ruleset project that comes preinstalled with cpanel will always block the ACP because of the ../../adm/ reference ? This will always require a exclusion for the ACP to work on any CRS with the default rules that come with cpanel ?
Not in my case and I even double checked request header when logging into the ACP. Why this is occurring on your end I don't know.
Thats what I got from the description Paul ( Infrastructure Team Leader ) said ?
Paul's comments are only in relation to how phpBB works and your case.The discrepancy between your installation producing false positives and mine which doesn't illustrates the issues with trying to troubleshoot things likes this.

mod_security is widely used and if this was common issue you are having it would appear here more frequently, I'm going to suggest this is isolated issue somehow related to your setup. To reiterate this is not affecting me and it has to go through both Cloudflare's implementation of the OWASP ruleset and the default WHM/Cpanel install on my server.

mod_security w/OWASP is great tool but it is not something you simply install out of the box and expect to work everywhere. If you do a search you will find it flags a lot of things as false positives because it's impossible for them to account for how every web application works or what it does. The same thing applies to phpBB, it cannot account for every piece of security software, server configuration so on and so forth. This is not OWASP's fault and it's not phpBB's fault.

We can only offer guidance on how to fix your issue where these things are concerned. If you are going to run a VPS and manage it yourself it's your responsibility to tweak products like mod_security to fit your needs.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

This is not a difficult issue. As Paul said. This is simple. It was really easy to troubleshoot. The error log was quite clear. The solution equally as clear. The issue was I did not look at the error log soon enough, my bad.

My "install" is:

Purchased Inmotionhosting VPS-3000
Installed phpBB
Mod Security comes active - no rules.
Added the OWASP based CRS vendor via cpanel

Thats it, Total. Nothing else.

When i did this all 4 phpBB forums had the same issue. No ACP. Error logs all showed the same issue, the one I posted 403 because of ../../adm/ Which the CRS *WOULD BLOCK BY DEFAULT With STD SETTINGS* for the exact reasons Paul mentioned.

I just did a clean install on a clean server to confirm this.

So my "install" is really clean and I just tested a virgin install of all the above. Exact same results. As expected.

So I suggest your install is different. Maybe you raised the anomaly threshold ? Maybe your running other things that are different then what I ran to isolate the issue ? Your log MUST show that hit as there is a rule in CRS ? If not something is wrong.

The error log makes hunting down errors with modsecurity pretty easy actually. Its very verbose, clear and accurate. Now that ive had a few days to really look at it, this is *fairly* straightforward, ive dealt with way more complex and horrendous code. I could see where if you did not have access to the error log that modsecurity might be vexing tho. I like modsecurity. Very powerful tool. BUT you gotta pay attention and be ready to take on complexity. The example that was offered by a number of support team members about a cat forum with the word cat in a post causing a issue would have been in the error log. HOWEVER I understand that many people dont have access to the error log I guess. I guess its just me, but, armed with the error log and hit list this looks easy to manage.

BUT... Im no expert on modsecurity or CRS.

We are off topic. My issue appears resolved. I will post again in like a week to confirm things are good. OR. If other issues come up I will post the issue and the resolution.

I guess you answered my question from PM in addition.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman »

xymox wrote: Sun Jul 29, 2018 8:52 am So I suggest your install is different. Maybe you raised the anomaly threshold ? Maybe your running other things that are different then what I ran to isolate the issue ? Your log MUST show that hit as there is a rule in CRS ? If not something is wrong.
I've repeated numerous times it's default install. There is hits on that rule but not for the ACP. For example:

Code: Select all

GET /index.php?option=com_facegallery&task=imageDownload&img_name=../../configuration.php 
That is what that rule is designed to prevent.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53398
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by Brf »

thecoalman wrote: Sun Jul 29, 2018 5:05 amif this was common issue you are having it would appear here more frequently,
I seem to remember it coming up a lot a couple years back with one of the new releases of PhpBB. Maybe it was 3.2.0 or one of the 3.1’s or something.
filebot
Registered User
Posts: 10
Joined: Wed Feb 25, 2015 4:34 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by filebot »

Having the same issue now in 2020. Worked one day. Didn't work the next. I'm using a shared hosting environment from Dreamhost running php 7.2 with phpBB 3.2.7 installed.

Here's what the apache error.log says:

Code: Select all

[Fri Sep 04 01:17:16.246929 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at ARGS:redirect. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:redirect: ./../adm/index.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
[Fri Sep 04 01:17:16.247219 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:redirect. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:redirect: ./../adm/index.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
[Fri Sep 04 01:17:16.247303 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Warning. Pattern match "(?:^|[\\\\/])\\\\.\\\\.(?:[\\\\/]|$)" at ARGS:redirect. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: /../ found within ARGS:redirect: ./../adm/index.php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
[Fri Sep 04 01:17:16.258898 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
[Fri Sep 04 01:17:16.259409 2020] [:error] [pid 12571] [client 203.150.154.237:51198] [client 203.150.154.237] ModSecurity: Warning. Operator GE matched 7 at TX:inbound_anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=0,RFI=0,LFI=15,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0"] [tag "event-correlation"] [hostname "www.filebot.net"] [uri "/forums/adm/index.php"] [unique_id "X1H4DKraMUZnlbZvnjyFVQAAAAM"], referer: https://www.filebot.net/forums/adm/index.php
(I've manually stripped the potentially confidential ?sid=0123456789ABCDEF part just in case)


:?: Is it possible configure (or modify if necessary) phpBB to not use relative urls like ./../ in redirects? Perhaps I can pre-set PHPBB_ROOT_PATH somewhere?


:idea: Since I'm using a shared hosted environment I probably won't be able to change the OWASP rules, and I'd prefer not to disable all rules all together.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman »

filebot wrote: Fri Sep 04, 2020 9:06 am
:idea: Since I'm using a shared hosted environment I probably won't be able to change the OWASP rules, and I'd prefer not to disable all rules all together.
You can contact Dreamhost and ask them to disable the rule. Optionally you can ask them to whitelist your IP for mod security.

They may not want to do either because it apples to everyone on same server,
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
kcfez
Registered User
Posts: 11
Joined: Tue Aug 17, 2010 5:40 pm

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by kcfez »

I have found a few places where modsecurity rules complain about phpbb formed URLS.
Clearly there needs to be a discussion between the security experts and the developers to see if the methods used by the phpbb developers and subsequent relaxation of the rules to get things to work causes vulnerabilities in the code. This is not easy to resolve. Of course it is easy to put in exceptions for specific directories of phpbb. It is more difficult to design rule exceptions that only let through the specific phpbb calls. As a lifetime computer security expert I am uneasy about relaxing rules for individuals unless a complete assessment of the risk is performed.
Not only are there issues with ACP functions but also Search functions. Now I look at the apache logs and then add a rule into the the apache configuration for the forum directory to ignore the rule causing the error.
So far these are required!
SecRuleRemoveById 980130
SecRuleRemoveById 949110
SecRuleRemoveById 930110
SecRuleRemoveById 930100
SecRuleRemoveById 980140
SecRuleRemoveById 953110
SecRuleRemoveById 959100
kcfez
Registered User
Posts: 11
Joined: Tue Aug 17, 2010 5:40 pm

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by kcfez »

As as has been discussed elsewhere either the rules have to be modified, or rules have to be excluded for the current phpbb software to work with the OWASP security.
Unfortunately the exclusions provided in that thread do not work, hence my previous post on how I fixed with what should be regarded as a temporary bodge for 3.3.5.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman »

Rule sets in mod_security are like a spam filters, they can be aggressive or not. False positives are inevitable. In addition to the rules themselves you can set a threshold just like you would have for spam filter. It needs to be configured to fit your needs. It's not just phpBB that can produce false positives.

I use mod_security with the default WHM/Cpanel configuration for OWASP rule set without any issues.....
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Post Reply

Return to “General Discussion”