Community @ The Turning Gate

Support community for TTG plugins and products.

You are not logged in.

#1 2018-04-07 21:50:53

tomowensphoto
Member
From: Suffolk
Registered: 2012-11-21
Posts: 254
Website

Modsecurity conflict with phpLiteAdmin

I've been having some dialogue with Ben regarding an error 404 I was getting on trying to check inside the master.sq3 databases  after I had had some funny goings on in a new hosting environment.

After hours of trying to establish the cause, I eventually had a shared desktop session with tech support at the new host. What we established was that modesurity was interpreting the access to the databases as a breach, and after a few attempts went straight to a block on my domain IP address. The relevant error is reproduced here, courtesy of the host tech support.

OWASP ModSecurity Core Rule Set V3.0
SpiderLabs OWASP curated ModSecurity rule set


930100

#
# -=[ Directory Traversal Attacks ]=-
#
# Ref: https://github.com/wireghoul/dotdotpwn
#
# [ Encoded /../ Payloads ]
#
SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" "phase:request, msg:'Path Traversal Attack (/../)', id:930100, ver:'OWASP_CRS/3.0.0', rev:'3', maturity:'9', accuracy:'7', t:none, block, severity:CRITICAL, logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-lfi', tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.lfi_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"

Turning off modsecurity is not an option. I've posted this here for both Ben and Matt to pick up. I've emailed Ben direct. It would seem that the path is an issue, but this stuff is way way above my head.

Hopefully the TTG wizards can find a workaround.


Regards,
TomO
Just a simple photographer
Live site at http://tomowens.openpoint.co.uk/

Offline

#2 2018-04-09 03:19:30

tomowensphoto
Member
From: Suffolk
Registered: 2012-11-21
Posts: 254
Website

Re: Modsecurity conflict with phpLiteAdmin

Big thanks to Ben for rolling out a fix for this issue over the weekend.
Things just get better and www.cloud-tree.co.uk were very supportive in providing details of where the trip took place that helped Ben enormously.


Regards,
TomO
Just a simple photographer
Live site at http://tomowens.openpoint.co.uk/

Offline

Board footer

Powered by FluxBB