Apache Mod_Security OWASP false posistive on ACP use

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

It seems that the Apache Mod_Security OWASP rule set is blocking ACP use. https://modsecurity.org/crs/

Does anyone have any experence in how to run this but still allow ACP functionality ?
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

The maintainers of the OWASP project have responded. They could use someone more experience then I to maybe help with this issue.

OWASP is a killer good thing to run if your running phpBB. Forums get attacked all the time and OWASP via ModSecurity is a awesome way to protect a forum - and a whole site.

I am going to look at logs more and see what is going on exactly, but, I dont think im skilled enough to do what they need. Maybe someone here is ? The work would contribute to a far safer phpBB.

I have a post on the OWASP GitHub
https://github.com/SpiderLabs/owasp-mod ... ssues/1154
That sounds like a false positive, possibly several ones.

Can you share your error-log with us, so we can look into it? For other standard software, there are rule exclusion packages. It would be worthwhile to create such a package for PHPbb, but it takes somebody to do it. We could guide you, if you are interested to contribute in such a way."
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10551
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by Noxwizard »

I have split off most everything from this topic as it immediately derailed with all sorts of misinformation and disinformation. There is nothing wrong to taking a defense-in-depth approach and applying layers of security. As with all of those products, you can't just blindly run them and think you're fine. Everything requires tuning, which is what we're seeing here.

As a few have mentioned, this falls more into the scope of server setup which is not something we really do here. This is mainly because we can't know all the different ways to configure different server products and how your snowflake configuration deviates. What that means is that you're going to have to do some back and forth with the provider or your ruleset and here since we won't really be able to tell you what to change in ModSecurity.

At the moment, you've stated that there's likely a false positive in a rule when entering the ACP. That's not a whole lot to go on and we can only say "You're probably right". Your server error logs should indicate which mod_security rule is being triggered. Once you have the rule, you will need to find it in your configuration and post it here, along with the entry from your error log. From there, we can try to look at it and tell you the expected/norm for requests to those pages. After we clarify for you what a normal request to that specific page looks like, you'll have to go to the provider of your ruleset with that info to troubleshoot the rule.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

Thank you :) And well put.. Awesome moderation :)

I will gather the logs and look it all over and work with OWASP if I need to and post here what I find and provide a proper technical depth. I will hopefully also provide a solution that might benefit others.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman »

If you do not have access to the rule set you will need to contact your host. Otherwise find out the ID of the rule being triggered and disable it. You can do this by checking the error logs or it might be logged under mod security log.

How to enable or disable is going to depend on the server environment but If you are using WHM in the control panel Security Center »ModSecurity Tools. It will give you list of recent events and the rule that triggered them. Click the link for the rule under the Rule ID column which will bring up a page for the rule. Uncheck "enable rule", check "Deploy and Restart Apache", save. If you are using some other panel you'd have to check with them how to disable rules.

I'm using mod_security myself with the OWASP rule set and have had no issues with it. Be sure to let us know what the problem is and follow up with OWASP.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

thecoalman wrote: Thu Jul 26, 2018 10:59 am I'm using mod_security myself with the OWASP rule set and have had no issues with it. Be sure to let us know what the problem is and follow up with OWASP.
OOoOOo.. Thats awesome..

I have root, so, I can do whatever I need to. I am using a Inmotion hosting VPS-3000 for a few web sites that are hobbies badmodems.com and lhcportal.com . CERN is a big user of the LHCPortal site, but they dont use the forum much. My little forums are tiny and without much traffic :) They are really personal hobbies. The Badmodems site tho gets 5000 IPs a day because of all my work VS Intel and the class action against Arris/Linksys/Intel that I am class representative of. Press links to that one, and so that site gets a lot of traffic. Especially the badmodems list which is phpBB powered.

Thurs or friday I will go grab logs and figure out whats going on, I am sorry I have not already. Ive been really busy work wise.

Thank you for helping :)

One thing I want to point out right now at the start of this thread. Using OWASP and Mod_Security should really only done if you really understand what your doing. Its almost always going to require tuning. It complicates every aspect of maintaining a forum and could randomly cause inexplicable behavior. My forums are hobbies for me, they are not big, serious, forums. I would be very cautious if your going to deploy mod-security and OWASP on a production site that has a lot of traffic. ALWAYS test on a offline test setup first.

So be patient with me. Im work busy right now. I will tackle this and post here shortly.

A few quick notes I noticed. The WHM Mod_Security tools page did not show any hits. I get 403 errors. "You don't have permission to access /Forum/adm/index.php on this server." This is a bit weird that i have no hits ? I have not turned off rules one at a time yet.

Rather then play with web interfaces I want to get in there SSH and look around at logs and try and see whats really going on here.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman »

There should be hits especially if it's blocking access.
"You don't have permission to access /Forum/adm/index.php on this server."
That is not necessarily caused by mod_security. You really need to check your server logs to see what is occurring.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

thecoalman wrote: Thu Jul 26, 2018 2:19 pm There should be hits especially if it's blocking access.
"You don't have permission to access /Forum/adm/index.php on this server."
That is not necessarily caused by mod_security. You really need to check your server logs to see what is occurring.
Yep... So im playing around from WHM now.
modsec_vendor_configs/OWASP/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

The rules in this configuration file enable protection against Local File Inclusion (LFI) attacks. During a LFI attack, a malicious client causes an application to serve or otherwise process a file from the local server's file system. These local server files would not normally be publicly accessible.
This is what is triggering the 403.. now WHY and what to do, or even if this rule is working properly and its not some server issue or config issue, is the next step.

Just to put doing this work and problem isolation into perspective and show the complexity and point out why I did not think i was qualified and was fearful of the amount of work involved have a look at this general guide and example. https://www.netnea.com/cms/apache-tutor ... -rule-set/ Anyone considering additional security for thier server needs to understand the complexity of doing so and weigh the risk VS gain from adding these additional security tools.

Im great with doing this as its a hobby for me and pretty interesting. It adds to my skills and its educational. I end up with a more secure server as a benefit. If it breaks, ist not a horrible event. For the last hour my server forums were mostly offline with internal server error and thats fine. BUT. If your on a forum that has a lot of traffic then consider your additonal security measures carefully and remember they will require maintenance over time.

OK off to fool with this more.. I am learning a lot about OWASP.
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

xymox wrote: Fri Jul 27, 2018 1:44 am
thecoalman wrote: Thu Jul 26, 2018 2:19 pm There should be hits especially if it's blocking access.
"You don't have permission to access /Forum/adm/index.php on this server."
That is not necessarily caused by mod_security. You really need to check your server logs to see what is occurring.
Yep...

So a bit of isolation... The below ruleset is the issue. It occurs when I log into the ACP. If I am already in the ACP I dont think there is a issue. Its the act of logging into the ACP. To recreate the issue, logout of the board. Then login again and log into the ACP. It fails after you click login.

I will post details like PHP version and additional things in phpBB shortly.
modsec_vendor_configs/OWASP/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

The rules in this configuration file enable protection against Local File Inclusion (LFI) attacks. During a LFI attack, a malicious client causes an application to serve or otherwise process a file from the local server's file system. These local server files would not normally be publicly accessible.
This is what is triggering the 403.. now WHY and what to do, or even if this rule is working properly and its not some server issue or config issue, is the next step.

Strangely, my hit list is still empty. UNLESS that list takes a bit to populate. I will watch this more.

Just to put doing this work and problem isolation into perspective and show the complexity and point out why I did not think i was qualified and was fearful of the amount of work involved have a look at this general guide and example. https://www.netnea.com/cms/apache-tutor ... -rule-set/ Anyone considering additional security for thier server needs to understand the complexity of doing so and weigh the risk VS gain from adding these additional security tools.

Im great with doing this as its a hobby for me and pretty interesting. It adds to my skills and its educational. I end up with a more secure server as a benefit. If it breaks, ist not a horrible event. For the last hour my server forums were mostly offline with internal server error and thats fine. BUT. If your on a forum that has a lot of traffic then consider your additonal security measures carefully and remember they will require maintenance over time.

OK off to fool with this more.. I am learning a lot about OWASP.
[/quote]
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

Interesting.. " vulnerable PHP scripts"

Its interesting whats going on here. I need to look at this more. I need to look at the phpBB scripts that occur during ACP login too.

https://www.owasp.org/index.php/Testing ... _Inclusion
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman »

Once again, you need to look at your server logs. The 403 and what was requested to cause it should be logged.


---------edit---------
It occurs when I log into the ACP. If I am already in the ACP I dont think there is a issue. Its the act of logging into the ACP. To recreate the issue, logout of the board. Then login again and log into the ACP. It fails after you click login.
This doesn't make much sense, you cannot be in the ACP without first logging into the ACP. Just so it's clear to get into the ACP you need to be logged into the forum as user with administrator permissions. Click the ACP link and will bring up login box for the ACP where you need to again enter userrname and password. If you try and access that folder as a user/anyone without admin permissions you'll get a 403 issued by the script.

As noted previously please wait six hours to bump topics. Before then you may edit your other post if you have something to add if no one has replied.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

The below pattern match reg expression I think would require the combined knowledge of the Krell to decode.. Or.. Im just not that good at reg expressions.

I removed username and password.

Code: Select all

[Thu Jul 26 22:44:25.927104 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Warning. Pattern match "(?i)(?:\\\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_BODY. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "29"] [id "930100"] [rev "3"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: %2F..%2F found within REQUEST_BODY: username=&password_0a4634ed3cab743c5d02e23cc27f8c21=%21&redirect=.%2F..%2Fadm%2Findex.php%3Fsid%3D86ba097164be92640e639ca2905811fa&sid=86ba097164be92640e639ca2905811fa&credential=0a4634ed3cab743c5d02e23cc27f8c21&login=Login"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
[Thu Jul 26 22:44:25.927447 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Warning. Matched phrase "../" at REQUEST_BODY. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "34"] [id "930110"] [rev "1"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within REQUEST_BODY: username=&password_0a4634ed3cab743c5d02e23cc27f8c21=&redirect=./../adm/index.php?sid=86ba097164be92640e639ca2905811fa&sid=86ba097164be92640e639ca2905811fa&credential=0a4634ed3cab743c5d02e23cc27f8c21&login=Login"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
[Thu Jul 26 22:44:25.927765 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Warning. Matched phrase "../" at REQUEST_BODY. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "34"] [id "930110"] [rev "1"] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within REQUEST_BODY: username=&password_0a4634ed3cab743c5d02e23cc27f8c21=&redirect=./../adm/index.php?sid=86ba097164be92640e639ca2905811fa&sid=86ba097164be92640e639ca2905811fa&credential=0a4634ed3cab743c5d02e23cc27f8c21&login=login"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
[Thu Jul 26 22:44:25.932902 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
[Thu Jul 26 22:44:25.933886 2018] [:error] [pid 24772] [client 70.162.95.216:49380] [client 70.162.95.216] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=0,RFI=0,LFI=15,RCE=0,PHPI=0,HTTP=0,SESS=0): Path Traversal Attack (/../)"] [tag "event-correlation"] [hostname "badmodems.com"] [uri "/Forum/adm/index.php"] [unique_id "W1qxOSKql0bOfpQFclj4ngAAAAk"], referer: https://badmodems.com/Forum/adm/index.php?sid=86ba097164be92640e639ca2905811fa
To clarify my previous statement. If you have already logged in to the ACP with the rule disabled, and then enable the rule, and reload the ACP or click the ACP link there is no issue.

It occurs when you have not logged into the ACP previously and you get the second login window. After you click the login on that second window is when the rule triggers.

In the phpBB code you can see what happens in the decision above and for some reason OWASP decides im a bad guy and stops this script and does its own 403.

Code: Select all

// Have they authenticated (again) as an admin for this session?
if (!isset($user->data['session_admin']) || !$user->data['session_admin'])
{
	login_box('', $user->lang['LOGIN_ADMIN_CONFIRM'], $user->lang['LOGIN_ADMIN_SUCCESS'], true, false);
}

// Is user any type of admin? No, then stop here, each script needs to
// check specific permissions but this is a catchall
if (!$auth->acl_get('a_'))
{
	send_status_line(403, 'Forbidden');
	trigger_error('NO_ADMIN');
}
I have passed the logs and info over to OWASP and they will have a look.
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 28619
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by Paul »

That indeed seems to be a false positive, phpBB uses always the board root as starting point for redirects. The admin panel is in a subdirectory at adm/. To redirect from the login form to the acp it included a redirect in the login path which is ./../adm/ The rule matches on that by thinking there is a path traversal issue, but it is actually a valid redirect within phpBB.
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by AmigoJack »

Paul wrote: Fri Jul 27, 2018 7:00 amthe login path which is ./../admin/
It's /adm/.

The culprit is this: /adm/index.php defines for itself:

Code: Select all

$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../';
which is the truth, and being consistent with all the code this path is used everyway, also if it ends up going back into the same folders again. But ModSecurity doesn't know about this and thinks that this very PHP file is the root already. It is just looking for a what-looks-like path traversal when ./../adm/ is effectively ./ and as such no harm at all. But a regular expression alone can't resolve cases like these: knowing the current path and then normalizing relative paths to the shortest possible form, recognizing the current folder is never left.
User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox »

Makes sense. Good explanations :)

From the OWASP maintainers..
Add this to your configuration before the CRS includes and you should be fine as far as this false positive is concerned.

Code: Select all

# ModSec Rule Exclusion: 930100 : Path Traversal Attack (/../)
SecRule REQUEST_URI "@beginsWith /Forum/adm/index.php" "phase:2,nolog,pass,id:10000,ctl:ruleRemoveTargetById=930100;REQUEST_BODY"

# ModSec Rule Exclusion: 930110 : Path Traversal Attack (/../)
SecRule REQUEST_URI "@beginsWith /Forum/adm/index.php" "phase:2,nolog,pass,id:10001,ctl:ruleRemoveTargetById=930110;REQUEST_BODY"
I will add these and do some testing and report back.

I should add, they said more of these may pop up. So I will try and do some more serious testing.


<edit & update> This does resolve the ACP issue. The board seems fine, but, I will test and watch the apache error log.
Post Reply

Return to “General Discussion”