Giters

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

Home Page:https://modsecurity.org/crs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Wordpress preview page false positive on REQUEST-949-BLOCKING-EVALUATION

podguzovvasily opened this issue · comments

commented

Mod security audit log:

---Q17tMcfU---A--
[26/Jan/2020:15:11:40 +0000] 158005150036.533109 My IP 443
---Q17tMcfU---B--
POST /wp-admin/post.php HTTP/1.1
CF-Connecting-IP: My IP
accept-language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
sec-fetch-site: same-origin
referer: https://somedomain.com/wp-admin/post.php?post=34&action=edit
content-type: application/x-www-form-urlencoded
origin: https://somedomain.com
sec-fetch-user: ?1
upgrade-insecure-requests: 1
sec-fetch-mode: navigate
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Connection: Keep-Alive
X-Forwarded-For: My IP
X-Forwarded-Proto: https
Content-Length: 7431
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
CF-RAY: 55b36d753bd272cf-EWR
cache-control: max-age=0
cookie: wordpress_sec_7bae4ba6b3acc0ec1572ba3a674e0c6b=fit_admin%7C1580223927%7Ca5z5YoAyXeBOGredy864Czj6syYkXdXlzeejIbHAGPu%7C3b18c5283f513861c669cbea790ff7cd1122e8dbe3df1f83e87baf70e3526e3e; wp-saving-post=34-check; _ga=GA1.2.323998682.1566842811; _hjid=9898195b-fc1a-4f3c-8516-00678213f4ce; _hjIncludedInSample=1; __cfduid=d9d4dfc7bcb7b4d6ff2afc071faf292841566849211; wordpress_test_cookie=WP+Cookie+check; _gcl_au=1.1.1066281131.1574699881; PHPSESSID=0nplfnhactboetm1kc2cclgbea; wordpress_logged_in_7bae4ba6b3acc0ec1572ba3a674e0c6b=fit_admin%7C1580223927%7Ca5z5YoAyXeBOGredy864Czj6syYkXdXlzeejIbHAGPu%7Cfe81b045f94d563b5470b32de2f82efc91b8eb6646158eb3de06802d0024a3ce; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D0%26imgsize%3Dfull; wp-settings-time-1=1580051174; _gid=GA1.2.1633963910.1580051382; _gat_UA-135448804-1=1
Host: somedomain.com
Accept-Encoding: gzip
CF-IPCountry: RU
CF-Visitor: {"scheme":"https"}
CDN-Loop: cloudflare

---Q17tMcfU---D--

---Q17tMcfU---E--

\x0d\x0a<title>403 Forbidden</title>\x0d\x0a\x0d\x0a

403 Forbidden

\x0d\x0a
nginx\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a

---Q17tMcfU---F--
HTTP/1.1 403
Server: nginx
Date: Sun, 26 Jan 2020 15:11:40 GMT
Content-Length: 548
Content-Type: text/html
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains

---Q17tMcfU---H--
ModSecurity: Warning. Matched "Operator Rx' with parameter (?i:(?:<\w[\s\S]*[\s/]|'"?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3139 characters omitted)' against variable ARGS:content' (Value: <img src="https://somedomain.com/wp-content/uploads/2018/10/divider-free-img.png" alt="" width="1 (4290 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "195"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \x0d\x0a

About Me

\x0d\x0a

MY WAY OF\x0d\x0aHEALTH & LIFE!

\x0d\x0aConsectetur (7210 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "My IP"] [uri "/wp-admin/post.php"] [unique_id "158005150036.533109"] [ref "o0,3386v2340,3997t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 5' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "109.60.145.104"] [uri "/wp-admin/post.php"] [unique_id "158005150036.533109"] [ref ""]
ModSecurity: Warning. Matched "Operator Ge' with parameter 5' against variable TX:INBOUND_ANOMALY_SCORE' (Value: 5' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "My IP"] [uri "/wp-admin/post.php"] [unique_id "158005150036.533109"] [ref ""]

CRS version v3.2.0
ModSecurity v3 Nginx Connector
nginx/1.17.4
Ubuntu 18.04