Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Wordpress preview page false positive on REQUEST-949-BLOCKING-EVALUATION #1669

Open
podguzovvasily opened this issue Jan 26, 2020 · 0 comments
Open

Wordpress preview page false positive on REQUEST-949-BLOCKING-EVALUATION #1669

podguzovvasily opened this issue Jan 26, 2020 · 0 comments
Labels
False Positive

Comments

@podguzovvasily
Copy link

Mod security audit log:

---Q17tMcfU---A--
[26/Jan/2020:15:11:40 +0000] 158005150036.533109 My IP 443
---Q17tMcfU---B--
POST /wp-admin/post.php HTTP/1.1
CF-Connecting-IP: My IP
accept-language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
sec-fetch-site: same-origin
referer: https://somedomain.com/wp-admin/post.php?post=34&action=edit
content-type: application/x-www-form-urlencoded
origin: https://somedomain.com
sec-fetch-user: ?1
upgrade-insecure-requests: 1
sec-fetch-mode: navigate
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Connection: Keep-Alive
X-Forwarded-For: My IP
X-Forwarded-Proto: https
Content-Length: 7431
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
CF-RAY: 55b36d753bd272cf-EWR
cache-control: max-age=0
cookie: wordpress_sec_7bae4ba6b3acc0ec1572ba3a674e0c6b=fit_admin%7C1580223927%7Ca5z5YoAyXeBOGredy864Czj6syYkXdXlzeejIbHAGPu%7C3b18c5283f513861c669cbea790ff7cd1122e8dbe3df1f83e87baf70e3526e3e; wp-saving-post=34-check; _ga=GA1.2.323998682.1566842811; _hjid=9898195b-fc1a-4f3c-8516-00678213f4ce; _hjIncludedInSample=1; __cfduid=d9d4dfc7bcb7b4d6ff2afc071faf292841566849211; wordpress_test_cookie=WP+Cookie+check; _gcl_au=1.1.1066281131.1574699881; PHPSESSID=0nplfnhactboetm1kc2cclgbea; wordpress_logged_in_7bae4ba6b3acc0ec1572ba3a674e0c6b=fit_admin%7C1580223927%7Ca5z5YoAyXeBOGredy864Czj6syYkXdXlzeejIbHAGPu%7Cfe81b045f94d563b5470b32de2f82efc91b8eb6646158eb3de06802d0024a3ce; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce%26hidetb%3D0%26imgsize%3Dfull; wp-settings-time-1=1580051174; _gid=GA1.2.1633963910.1580051382; _gat_UA-135448804-1=1
Host: somedomain.com
Accept-Encoding: gzip
CF-IPCountry: RU
CF-Visitor: {"scheme":"https"}
CDN-Loop: cloudflare

---Q17tMcfU---D--

---Q17tMcfU---E--

\x0d\x0a<title>403 Forbidden</title>\x0d\x0a\x0d\x0a

403 Forbidden

\x0d\x0a
nginx\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a

---Q17tMcfU---F--
HTTP/1.1 403
Server: nginx
Date: Sun, 26 Jan 2020 15:11:40 GMT
Content-Length: 548
Content-Type: text/html
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains

---Q17tMcfU---H--
ModSecurity: Warning. Matched "Operator Rx' with parameter (?i:(?:<\w[\s\S]*[\s/]|'"?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|d (3139 characters omitted)' against variable ARGS:content' (Value: <img src="https://somedomain.com/wp-content/uploads/2018/10/divider-free-img.png" alt="" width="1 (4290 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "195"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: \x0d\x0a

About Me

\x0d\x0a

MY WAY OF\x0d\x0aHEALTH & LIFE!

\x0d\x0aConsectetur (7210 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "My IP"] [uri "/wp-admin/post.php"] [unique_id "158005150036.533109"] [ref "o0,3386v2340,3997t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 5' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "109.60.145.104"] [uri "/wp-admin/post.php"] [unique_id "158005150036.533109"] [ref ""]
ModSecurity: Warning. Matched "Operator Ge' with parameter 5' against variable TX:INBOUND_ANOMALY_SCORE' (Value: 5' ) [file "/usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "My IP"] [uri "/wp-admin/post.php"] [unique_id "158005150036.533109"] [ref ""]

CRS version v3.2.0
ModSecurity v3 Nginx Connector
nginx/1.17.4
Ubuntu 18.04
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@podguzovvasily