This repository was archived by the owner on May 14, 2020. It is now read-only.
Description Description
Rule 942360 gets triggered when WordPress site is hosted from url like http://example.com/update-prefix and doing stuff in wp-admin area (navigating to http://example.com/update-prefix/wp-admin.
I fixed this by adding following exclusion rule:
SecAction \
"id:1001,\
phase:2,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942360;ARGS:_wp_http_referer"
Audit Logs / Triggered Rule Numbers
Message: Warning. Pattern match "(?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\srol|ggregat)e|s(?:ymmetric\s ke|sembl)y|u(?:thorization|dit)|vailability\sgroup)|c(?:r(?:yptographic\s provider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)| ..." at ARGS:_wp_http_referer. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "471"] [id "942360"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: /update found within ARGS:_wp_http_referer: /update-test/wp-admin/"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Your Environment
CRS version (e.g., v3.2.0): 3.2.0
Paranoia level setting: 1
ModSecurity version (e.g., 2.9.3): 2.9.3
Web Server and version (e.g., apache 2.4.41): Apache 2.4.41
Operating System and version: Ubuntu 20.04
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
Reactions are currently unavailable
Description
Rule 942360 gets triggered when WordPress site is hosted from url like
http://example.com/update-prefixand doing stuff in wp-admin area (navigating tohttp://example.com/update-prefix/wp-admin.I fixed this by adding following exclusion rule:
Audit Logs / Triggered Rule Numbers
Message: Warning. Pattern match "(?i:(?:^[\W\d]+\s*?(?:alter\s*(?:a(?:(?:pplication\srol|ggregat)e|s(?:ymmetric\ske|sembl)y|u(?:thorization|dit)|vailability\sgroup)|c(?:r(?:yptographic\sprovider|edential)|o(?:l(?:latio|um)|nversio)n|ertificate|luster)|s(?:e(?:rv(?:ice|er)| ..." at ARGS:_wp_http_referer. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "471"] [id "942360"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: /update found within ARGS:_wp_http_referer: /update-test/wp-admin/"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Your Environment
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.