Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.

False positive with WordPress when hosted from http://example.com/update-prefix #1756

Open
Open
False positive with WordPress when hosted from http://example.com/update-prefix#1756
Labels
False Positive
@morko

Description

@morko
morko
opened on May 11, 2020

Description

Rule 942360 gets triggered when WordPress site is hosted from url like http://example.com/update-prefix and doing stuff in wp-admin area (navigating to http://example.com/update-prefix/wp-admin.

I fixed this by adding following exclusion rule:

SecAction \
    "id:1001,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=942360;ARGS:_wp_http_referer"

Audit Logs / Triggered Rule Numbers

Message: Warning. Pattern match "(?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\srol|ggregat)e|s(?:ymmetric\ske|sembl)y|u(?:thorization|dit)|vailability\sgroup)|c(?:r(?:yptographic\sprovider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)| ..." at ARGS:_wp_http_referer. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "471"] [id "942360"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: /update found within ARGS:_wp_http_referer: /update-test/wp-admin/"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]

Your Environment

  • CRS version (e.g., v3.2.0): 3.2.0
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 2.9.3
  • Web Server and version (e.g., apache 2.4.41): Apache 2.4.41
  • Operating System and version: Ubuntu 20.04

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    False Positive

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions