That sounds like a false positive, possibly several ones.
Can you share your error-log with us, so we can look into it? For other standard software, there are rule exclusion packages. It would be worthwhile to create such a package for PHPbb, but it takes somebody to do it. We could guide you, if you are interested to contribute in such a way."
Security Center »ModSecurity Tools
. It will give you list of recent events and the rule that triggered them. Click the link for the rule under the Rule ID column which will bring up a page for the rule. Uncheck "enable rule", check "Deploy and Restart Apache", save. If you are using some other panel you'd have to check with them how to disable rules.OOoOOo.. Thats awesome..thecoalman wrote: ↑Thu Jul 26, 2018 10:59 am I'm using mod_security myself with the OWASP rule set and have had no issues with it. Be sure to let us know what the problem is and follow up with OWASP.
That is not necessarily caused by mod_security. You really need to check your server logs to see what is occurring."You don't have permission to access /Forum/adm/index.php on this server."
Yep... So im playing around from WHM now.thecoalman wrote: ↑Thu Jul 26, 2018 2:19 pm There should be hits especially if it's blocking access.
That is not necessarily caused by mod_security. You really need to check your server logs to see what is occurring."You don't have permission to access /Forum/adm/index.php on this server."
This is what is triggering the 403.. now WHY and what to do, or even if this rule is working properly and its not some server issue or config issue, is the next step.modsec_vendor_configs/OWASP/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
The rules in this configuration file enable protection against Local File Inclusion (LFI) attacks. During a LFI attack, a malicious client causes an application to serve or otherwise process a file from the local server's file system. These local server files would not normally be publicly accessible.
Yep...xymox wrote: ↑Fri Jul 27, 2018 1:44 amthecoalman wrote: ↑Thu Jul 26, 2018 2:19 pm There should be hits especially if it's blocking access.
That is not necessarily caused by mod_security. You really need to check your server logs to see what is occurring."You don't have permission to access /Forum/adm/index.php on this server."
This is what is triggering the 403.. now WHY and what to do, or even if this rule is working properly and its not some server issue or config issue, is the next step.modsec_vendor_configs/OWASP/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
The rules in this configuration file enable protection against Local File Inclusion (LFI) attacks. During a LFI attack, a malicious client causes an application to serve or otherwise process a file from the local server's file system. These local server files would not normally be publicly accessible.
This doesn't make much sense, you cannot be in the ACP without first logging into the ACP. Just so it's clear to get into the ACP you need to be logged into the forum as user with administrator permissions. Click the ACP link and will bring up login box for the ACP where you need to again enter userrname and password. If you try and access that folder as a user/anyone without admin permissions you'll get a 403 issued by the script.It occurs when I log into the ACP. If I am already in the ACP I dont think there is a issue. Its the act of logging into the ACP. To recreate the issue, logout of the board. Then login again and log into the ACP. It fails after you click login.
Code: Select all
[Thu Jul 26 22:44:25.927104 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_BODY. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "29"] [id "930100"] [rev "3"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: %2F..%2F found within REQUEST_BODY: username=&password_0a4634ed3cab743c5d02e23cc27f8c21=%21&redirect=.%2F..%2Fadm%2Findex.php%3Fsid%3D86ba097164be92640e639ca2905811fa&sid=86ba097164be92640e639ca2905811fa&credential=0a4634ed3cab743c5d02e23cc27f8c21&login=Login"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
[Thu Jul 26 22:44:25.927447 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Warning. Matched phrase "../" at REQUEST_BODY. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "34"] [id "930110"] [rev "1"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within REQUEST_BODY: username=&password_0a4634ed3cab743c5d02e23cc27f8c21=&redirect=./../adm/index.php?sid=86ba097164be92640e639ca2905811fa&sid=86ba097164be92640e639ca2905811fa&credential=0a4634ed3cab743c5d02e23cc27f8c21&login=Login"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
[Thu Jul 26 22:44:25.927765 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Warning. Matched phrase "../" at REQUEST_BODY. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "34"] [id "930110"] [rev "1"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within REQUEST_BODY: username=&password_0a4634ed3cab743c5d02e23cc27f8c21=&redirect=./../adm/index.php?sid=86ba097164be92640e639ca2905811fa&sid=86ba097164be92640e639ca2905811fa&credential=0a4634ed3cab743c5d02e23cc27f8c21&login=login"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
[Thu Jul 26 22:44:25.932902 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
[Thu Jul 26 22:44:25.933886 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=0,RFI=0,LFI=15,RCE=0,PHPI=0,HTTP=0,SESS=0): Path Traversal Attack (/../)"] [tag "event-correlation"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
Code: Select all
// Have they authenticated (again) as an admin for this session?
if (!isset($user->data['session_admin']) || !$user->data['session_admin'])
{
login_box('', $user->lang['LOGIN_ADMIN_CONFIRM'], $user->lang['LOGIN_ADMIN_SUCCESS'], true, false);
}
// Is user any type of admin? No, then stop here, each script needs to
// check specific permissions but this is a catchall
if (!$auth->acl_get('a_'))
{
send_status_line(403, 'Forbidden');
trigger_error('NO_ADMIN');
}
It's
/adm/
.Code: Select all
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../';
./../adm/
is effectively ./
and as such no harm at all. But a regular expression alone can't resolve cases like these: knowing the current path and then normalizing relative paths to the shortest possible form, recognizing the current folder is never left.Add this to your configuration before the CRS includes and you should be fine as far as this false positive is concerned.
Code: Select all
# ModSec Rule Exclusion: 930100 : Path Traversal Attack (/../)
SecRule REQUEST_URI "@beginsWith /Forum/adm/index.php" "phase:2,nolog,pass,id:10000,ctl:ruleRemoveTargetById=930100;REQUEST_BODY"
# ModSec Rule Exclusion: 930110 : Path Traversal Attack (/../)
SecRule REQUEST_URI "@beginsWith /Forum/adm/index.php" "phase:2,nolog,pass,id:10001,ctl:ruleRemoveTargetById=930110;REQUEST_BODY"