Support community for TTG plugins and products.
NOTICE
The Turning Gate's Community has moved to a new home, at https://discourse.theturninggate.net.
This forum is now closed, and exists here as a read-only archive.
You are not logged in.
Pages: 1
I've been having some dialogue with Ben regarding an error 404 I was getting on trying to check inside the master.sq3 databases after I had had some funny goings on in a new hosting environment.
After hours of trying to establish the cause, I eventually had a shared desktop session with tech support at the new host. What we established was that modesurity was interpreting the access to the databases as a breach, and after a few attempts went straight to a block on my domain IP address. The relevant error is reproduced here, courtesy of the host tech support.
OWASP ModSecurity Core Rule Set V3.0
SpiderLabs OWASP curated ModSecurity rule set
930100
#
# -=[ Directory Traversal Attacks ]=-
#
# Ref: https://github.com/wireghoul/dotdotpwn
#
# [ Encoded /../ Payloads ]
#
SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" "phase:request, msg:'Path Traversal Attack (/../)', id:930100, ver:'OWASP_CRS/3.0.0', rev:'3', maturity:'9', accuracy:'7', t:none, block, severity:CRITICAL, logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-lfi', tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.lfi_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
Turning off modsecurity is not an option. I've posted this here for both Ben and Matt to pick up. I've emailed Ben direct. It would seem that the path is an issue, but this stuff is way way above my head.
Hopefully the TTG wizards can find a workaround.
Regards,
TomO
Just a simple photographer
Live site at http://tomowens.openpoint.co.uk/
Offline
Big thanks to Ben for rolling out a fix for this issue over the weekend.
Things just get better and www.cloud-tree.co.uk were very supportive in providing details of where the trip took place that helped Ben enormously.
Regards,
TomO
Just a simple photographer
Live site at http://tomowens.openpoint.co.uk/
Offline
Pages: 1