ModSecurity False Positive WordPress - How can I temporarily whitelist specific for this website?
Hi,
One of our websites is having issues ModSecurity. If we publish a page update or preview the page it throws a 403 forbidden error...
The rules that are being broken are:
941100: XSS Attack Detected via libinjection
Request: POST /wp-admin/post.php
Action Description: Access denied with code 403 (phase 2).
Justification: Test 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/*' against '@detectXSS' is true.
220030: COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)
Request: GET /wp-content/themes/startit/assets/css/simple-line-icons/fonts/Simple-Line-Icons.woff?-i3a2kk
Action Description: Access denied with code 403 (phase 2).
Justification: Test 'MATCHED_VAR' against '@pm -a -b -C -q -T -c -n -d -e -f -h -? -i -l -m -r -B -R -F -E -S -t -s -v -w -z' is true.
Both are false positives... we raised a report for both of them however for the meantime we'd like to be able to whitelist/ignore these two rules for this particular website/cPanel account.
Any advice would be greatly welcome!
-
Thanks for that ZenHostingTravis! I installed ConfigServer ModSecurityControl and whitelisted the two rules... I can see they're whitelisted because previewing pages no longer adds logs into the ModSecurity Tools log... but the pages are still 403 erroring out. I even tried toggling ModSecurity on/off via CMC and it's clearly working because disabling ModSecurity stops the 403 happening. 0 -
I should also note in here that neither of those ModSecurity rulesets are supported by cPanel, while you can install them our ability to troubleshoot them will be limited in some instances. If you've disabled the specific rule that was matching, and you're still receiving a 403 error what is output in the Apache error logs? Thanks! 0 -
If you've disabled the specific rule that was matching, and you're still receiving a 403 error what is output in the Apache error logs?
So apache error logs weren't being helpful, they weren't showing anything wrong. I checked the modsecurity logs and this log WAS showing why it was being blocked... yet the "ModSecurity Tools" in WHM wasn't showing it... The rule 941160 was the cause (along with 941110) which is in /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUST-941-APPLICATION-ATTACK-XSS.conf For reference, the "logged data" is a copy of the page content using WordPress' "WPBakery Page Builder" shortcodes.. that seems to be a bit of a false positive.Message: Access denied with code 403 (phase 2). Test 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/*' against '(?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\">(?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=' is true. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"> [line "74"> [id "941160"> [rev "2"> [msg "NoScript XSS InjectionChecker: HTML Injection">0 -
That's good detective work, @RyanR. Thanks for sharing. That is a popular page builder. 0 -
I got this exact problem with REQUST-941-APPLICATION-ATTACK-XSS.conf. These rules need to be improved. And whenever I add this to my modsec2.whitelist.conf file manually via SSH: SecRule REMOTE_ADDR "^72.33.35.33$" "phase:1,id:941110,nolog,allow,ctl:ruleEngine=off"
Apache won't start after. anyone know why?0 -
I'm trying to do this? SecRule REMOTE_ADDR "^72.238.15.34$" "phase:1,id:100,nolog,allow,ctl:ruleEngine=off"
But ID:100 exist already. where do I see a list of all my ID's used or free? I simply want add a new rule and its impossible: restartsrv_httpd[6482]: ModSecurity: Found another rule with the same id0 -
Hello @Scott Galambos I think you will be able to add this rule by simply using a different rule ID. You can view the rules that are already loaded on the Home >> Security Center >> ModSecurity" Tools >> Rules List page in WHM. I've attached a screenshot showing how to access this page. Feel free to let us know if you have any additional questions, and as my colleague @cPanelSam mentioned, you are welcome to submit a ticket for further assistance. Thanks! 0 -
Are these ID's sequential? Like is their preference linear? If I want to whitelist an IP like above does my ID have to be as low as possible (eg. 1 thru say 200)? Or can I make it like 60000 and it will still whitelist? 0
Please sign in to leave a comment.
Comments
12 comments