I'm having some trouble dealing with two false positives. This is cPanel's implementation of OWASP ver.3.0.0, as nearly as I can tell (from /etc <https://nasw2.sciencewriters.us:2087/cpsess2553782837/cgi/configserver/cse.cgi?do=b&p=/etc> /apache2 <https://nasw2.sciencewriters.us:2087/cpsess2553782837/cgi/configserver/cse.cgi?do=b&p=/etc/apache2> /conf.d <https://nasw2.sciencewriters.us:2087/cpsess2553782837/cgi/configserver/cse.cgi?do=b&p=/etc/apache2/conf.d> /modsec_vendor_configs <https://nasw2.sciencewriters.us:2087/cpsess2553782837/cgi/configserver/cse.cgi?do=b&p=/etc/apache2/conf.d/modsec_vendor_configs> /OWASP/modsecurity_crs_10_setup.conf). I've masked some possibly sensitive data.
523939:[Thu Dec 01 10:25:39.244073 2016] [:error] [pid 24880] [client xx.xx.xxx.xxx] ModSecurity: Access denied with redirection to http://www.example.com/ using status 302 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:returnUrl. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "219"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "6"] [accuracy "8"] [tag "Host: www.example.com"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [hostname "www.example.com"] [uri "/xxx.php"] [unique_id "WEBA83cQjKbwhNpTYWkudQAAAAQ"] 526747:[Thu Dec 01 10:41:28.958952 2016] [:error] [pid 26285] [client xx.xx.xxx.xxx] ModSecurity: Access denied with redirection to http://www.example.com/ using status 302 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-31-APPLICATION-ATTACK-RFI.conf"] [line "30"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://another.example.com/a/account/validatethirdpartycorporateauthresult?redirectUrl=http:%2F%2Fanother.example.com%2Fa found within TX:1: another.example.com/a/account/validatethirdpartycorporateauthresult?redirectUrl=http:%2F%2Fanother.example.com%2Fa"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: www.example.com"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-remote file inclusion"] [tag "OWASP_CRS/WEB_ATTACK/RFI"] [hostname "www.example.com"] [uri "/xxx.php"] [unique_id "WEBEqF9us8Ws-b6n3kgKmAAAAAI"] I've confirmed that those rules are the problem by temporarily disabling them, but I would like to create an exception instead. I am trying to use the "add rule" function in cPanel's WHM/Security Center/ModSecurity/Tools/Rules List. Here is what I'm trying to add (singly and both at once): SecRuleUpdateTargetById 950109 !ARGS:'another.example.com' SecRuleUpdateTargetByID 950120 !ARGS_NAMES:'another.example.com' When I try to save and deploy, here is what I get in the cPanel error log: [2016-12-01 16:09:21 -0500] warn [xml-api] The system failed to deploy the changes for “modsec/modsec2.user.conf”: The system could not validate the new Apache configuration because httpd exited with a nonzero value. Apache produced the following error: AH00526: Syntax error on line 1 of /etc/apache2/conf.d/modsec/modsec2.user.conf: Updating target by ID with no ruleset in this context I've tried various combinations of single quotes, double quotes, no quotes, but to no avail. It's up to the server vendor to file a ticket with cPanel and they say it's not appropriate to do that for a syntax error. Suggestions? I did file reports via cPanel earlier today and got auto-replies from secur...@modsecurity.org assigning ticket nos. 1332 and 1333, but nothing further.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set