Apache Mod_Security OWASP false posistive on ACP use

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2797
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman » Sat Jul 28, 2018 8:40 pm

thecoalman wrote:
Thu Jul 26, 2018 10:59 am
I'm using mod_security myself with the OWASP rule set and have had no issues with it.
To elaborate and answer your PM it's default install of mod_security provided by WHM/Cpanel and the OWASP rule set is curated by Cpanel. I'm also using Cloudflare which has it's own implementation of the OWASP rules. That rule that is causing you trouble is most definitely being triggered on both Cloudflare and my server but it's only hitting on attempted exploits. I have no issues getting into the ACP and my IP is not whiteleisted anywhere.

User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox » Sat Jul 28, 2018 11:37 pm

Maybe I am confuzed. The ModSeurity Core Ruleset project that comes preinstalled with cpanel will always block the ACP because of the ../../adm/ reference ? This will always require a exclusion for the ACP to work on any CRS with the default rules that come with cpanel ?

Thats what I got from the description Paul ( Infrastructure Team Leader ) said ?
Paul wrote:
Fri Jul 27, 2018 7:00 am
That indeed seems to be a false positive, phpBB uses always the board root as starting point for redirects. The admin panel is in a subdirectory at adm/. To redirect from the login form to the acp it included a redirect in the login path which is ./../adm/ The rule matches on that by thinking there is a path traversal issue, but it is actually a valid redirect within phpBB.
Maybe your saying this should be the responsibility of cpanel to maintain a list of exclusions for phpBB ? I think the people working the CRS project want to work up some exclusion rules but need some contact with phpBB to do this, so my PM was to help them look to make this contact with phpBB.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2797
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman » Sun Jul 29, 2018 5:05 am

xymox wrote:
Sat Jul 28, 2018 11:37 pm
Maybe I am confuzed. The ModSeurity Core Ruleset project that comes preinstalled with cpanel will always block the ACP because of the ../../adm/ reference ? This will always require a exclusion for the ACP to work on any CRS with the default rules that come with cpanel ?
Not in my case and I even double checked request header when logging into the ACP. Why this is occurring on your end I don't know.
Thats what I got from the description Paul ( Infrastructure Team Leader ) said ?
Paul's comments are only in relation to how phpBB works and your case.The discrepancy between your installation producing false positives and mine which doesn't illustrates the issues with trying to troubleshoot things likes this.

mod_security is widely used and if this was common issue you are having it would appear here more frequently, I'm going to suggest this is isolated issue somehow related to your setup. To reiterate this is not affecting me and it has to go through both Cloudflare's implementation of the OWASP ruleset and the default WHM/Cpanel install on my server.

mod_security w/OWASP is great tool but it is not something you simply install out of the box and expect to work everywhere. If you do a search you will find it flags a lot of things as false positives because it's impossible for them to account for how every web application works or what it does. The same thing applies to phpBB, it cannot account for every piece of security software, server configuration so on and so forth. This is not OWASP's fault and it's not phpBB's fault.

We can only offer guidance on how to fix your issue where these things are concerned. If you are going to run a VPS and manage it yourself it's your responsibility to tweak products like mod_security to fit your needs.

User avatar
xymox
Registered User
Posts: 63
Joined: Thu Jan 07, 2010 12:20 am

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by xymox » Sun Jul 29, 2018 8:52 am

This is not a difficult issue. As Paul said. This is simple. It was really easy to troubleshoot. The error log was quite clear. The solution equally as clear. The issue was I did not look at the error log soon enough, my bad.

My "install" is:

Purchased Inmotionhosting VPS-3000
Installed phpBB
Mod Security comes active - no rules.
Added the OWASP based CRS vendor via cpanel

Thats it, Total. Nothing else.

When i did this all 4 phpBB forums had the same issue. No ACP. Error logs all showed the same issue, the one I posted 403 because of ../../adm/ Which the CRS *WOULD BLOCK BY DEFAULT With STD SETTINGS* for the exact reasons Paul mentioned.

I just did a clean install on a clean server to confirm this.

So my "install" is really clean and I just tested a virgin install of all the above. Exact same results. As expected.

So I suggest your install is different. Maybe you raised the anomaly threshold ? Maybe your running other things that are different then what I ran to isolate the issue ? Your log MUST show that hit as there is a rule in CRS ? If not something is wrong.

The error log makes hunting down errors with modsecurity pretty easy actually. Its very verbose, clear and accurate. Now that ive had a few days to really look at it, this is *fairly* straightforward, ive dealt with way more complex and horrendous code. I could see where if you did not have access to the error log that modsecurity might be vexing tho. I like modsecurity. Very powerful tool. BUT you gotta pay attention and be ready to take on complexity. The example that was offered by a number of support team members about a cat forum with the word cat in a post causing a issue would have been in the error log. HOWEVER I understand that many people dont have access to the error log I guess. I guess its just me, but, armed with the error log and hit list this looks easy to manage.

BUT... Im no expert on modsecurity or CRS.

We are off topic. My issue appears resolved. I will post again in like a week to confirm things are good. OR. If other issues come up I will post the issue and the resolution.

I guess you answered my question from PM in addition.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2797
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by thecoalman » Sun Jul 29, 2018 10:01 am

xymox wrote:
Sun Jul 29, 2018 8:52 am
So I suggest your install is different. Maybe you raised the anomaly threshold ? Maybe your running other things that are different then what I ran to isolate the issue ? Your log MUST show that hit as there is a rule in CRS ? If not something is wrong.
I've repeated numerous times it's default install. There is hits on that rule but not for the ACP. For example:

Code: Select all

GET /index.php?option=com_facegallery&task=imageDownload&img_name=../../configuration.php 
That is what that rule is designed to prevent.

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51351
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Apache Mod_Security OWASP false posistive on ACP use

Post by Brf » Sun Jul 29, 2018 2:06 pm

thecoalman wrote:
Sun Jul 29, 2018 5:05 am
if this was common issue you are having it would appear here more frequently,
I seem to remember it coming up a lot a couple years back with one of the new releases of PhpBB. Maybe it was 3.2.0 or one of the 3.1’s or something.

Post Reply

Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 22 guests