False positive when editing /wp-admin/nav-menus.php

[vluzrmos]

677355 ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i).(?:\b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)\b|pattern[\s\x0b]*=)|(?:!ENTITY[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\b)' against variable `ARGS:menu-item-url[36272]' (Value: `OMITTED' ) [file "OMITTED/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "138"] [id "941130"] [rev ""] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data: .xhtml found within ARGS:menu-item-url[36272]: http://OMITTED.xhtml"] [severity "2"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "172.21.0.2"] [uri "/wp-admin/nav-menus.php"] [unique_id "174195611034.472930"] [ref "o21483,6v1834,32239t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNullso68,6v81875,74t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:remove (5 characters omitted)"]

and

675834 [client OMITTED] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "OMITTED/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg ""] [data ""] [severity "0"] [ver "OWASP_CRS/4.11.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "172.21.0.2"] [uri "/wp-admin/nav-menus.php"] [unique_id "174195606478.217515"] [ref ""], client: OMITTED, server: OMITTED

My workaround solution:

SecRule REQUEST_URI "@endsWith /wp-admin/nav-menus.php" \
    "id:1001,phase:1,pass,nolog,ctl:ruleRemoveById=949110,ctl:ruleRemoveById=942100"

[azurit]

@vluzrmos Hi and thanks for reporting this. Can you, please, provide a full audit log?

[vluzrmos]

@azurit I'm not sure how to do that, I've created this issue with bunkerweb nginx log.

[EsadCetiner]

@vluzrmos I'm not familiar with BunkerWeb but it looks like the audit log is stored at /var/log/bunkerweb/modsec_audit.log by default. If you search for this ID: 174195611034.472930 then you should find full transaction details about the false positive.

I see your workaround rule is disabling rule 949110, you should never disable that rule as it's an anomaly scoring rule, disabling that rule disables the WAF.

[vluzrmos]

• I see that /var/log/bunkerweb/modsec_audit.log is a link to /proc/1/fd/2, that should be the STDERR.... but no audit logs in stderr;

• I changed the SecAuditLog to another file and it doens't log that false positive

I figure out that modsecurity is blocking a menu item with a href like 'http://SOMETHING:8080/sipwep/login/login.xhtml', other links works normally....

Note: SOMETHING is a subdomain of the current wordpress but targets to another port and path.

[azurit]

It looks like a false positive but this one is going to be tough one as it targets variable ARGS:menu-item-url[36272] i.e. ARGS:menu-item-url\[[0-9]+\].

[azurit]

@EsadCetiner What do you think? We can whitelist it using SecRuleUpdateTargetById (which supports regexes) but in this case this part of the plugin cannot be disabled using a setting rule.

[EsadCetiner]

@azurit I think we should just use an ctl:action to remove the offending rule from the ARGS collection for /wp-admin/nav-menus.php. Using SecRuleUpdateTargetById is fine WordPress, but I don't know if it'll be safe for other applications the end user is hosting (if any).

There's already an open issue to add support for using regexes with ctl:ruleRemoveTargetById for libModSecurity, the ideal solution would be to ensure all engines support this feature.

[EsadCetiner]

@vluzrmos I've opened a PR at #76 to fix your issue.

It would be nice if you can provide logs so we can create tests for your specific issue, can you try changing SecAuditLog temporarily to another file and then re-trigger the false positive and post your logs here?