3.0.1.9 permission issues

Report bugs and workarounds
zane93
Posts: 36
Joined: 08 Mar 2016 22:08

3.0.1.9 permission issues

Post by zane93 » 27 Mar 2017 02:55

When I try to add and entry to the white list in the graylist.

"Move selected entries to whitelist"

"You don't have permission to access /sgwi/connect.php on this server."
full path is /var/www/html/sgwi/connect.php

I have even tried setting connect.php to 0777 and that did not work any suggestions?

EDIT ***I got this part to work find after clearing the browser cache****
When trying to view the permissions on my Administrator account I get the following error.
"Error: unable to validate security token"

User avatar
shawniverson
Posts: 3029
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson » 27 Mar 2017 11:35

Resolved or still an issue?
Version eFa 4.0.2 now available!

adrian.leigh
Posts: 7
Joined: 27 Mar 2017 10:30

Re: 3.0.1.9 permission issues

Post by adrian.leigh » 27 Mar 2017 12:20

Yes still an issue,

I have found in the http logs that Modsecurity access denied code 403 (phase 2) on the checklogin.php , Mulitple URL Encoding detected?

Thanks
Adrian.

User avatar
shawniverson
Posts: 3029
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson » 27 Mar 2017 12:21

Can you post the complete message from the log?
Version eFa 4.0.2 now available!

adrian.leigh
Posts: 7
Joined: 27 Mar 2017 10:30

Re: 3.0.1.9 permission issues

Post by adrian.leigh » 27 Mar 2017 12:30

Code: Select all

ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:mypassword. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] 
[code]
ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:mypassword. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] 

User avatar
shawniverson
Posts: 3029
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson » 27 Mar 2017 12:37

Ok, problem is the structure of your password, must be a really good one :lol:

Let's add this line to /etc/httpd/conf.d/mod_security.conf above </IfModule>:

Code: Select all

SecRuleRemoveById 950109

Code: Select all

sudo service httpd restart
Version eFa 4.0.2 now available!

adrian.leigh
Posts: 7
Joined: 27 Mar 2017 10:30

Re: 3.0.1.9 permission issues

Post by adrian.leigh » 27 Mar 2017 12:45

Thanks so much but I don't have /etc/conf.d/httpd/mod_security.conf ?

Adrian.

User avatar
shawniverson
Posts: 3029
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson » 27 Mar 2017 12:46

Whoops I got path backwards, should be /etc/httpd/conf.d
Version eFa 4.0.2 now available!

adrian.leigh
Posts: 7
Joined: 27 Mar 2017 10:30

Re: 3.0.1.9 permission issues

Post by adrian.leigh » 27 Mar 2017 12:56

Thanks i found it :)

I had to put the exception in put it in the two locations as I had two <if module> sections, the <IfModule mod_security2.c> was the one that got it working for me again.

thanks so much for your help.

zane93
Posts: 36
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 » 27 Mar 2017 13:57

The mod_security2.so additions did not work for me. I still have the same issue.

Code: Select all

LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109

</IfModule>
<IfModule mod_security2.c>
    # ModSecurity Core Rules Set configuration
	Include modsecurity.d/*.conf
	Include modsecurity.d/activated_rules/*.conf
    
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_MISSING_SEMICOLON}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IP %{MULTIPART_INVALID_PART}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109
</IfModule>

User avatar
shawniverson
Posts: 3029
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson » 27 Mar 2017 13:58

I think your thread got hijacked from another issue :think:
Version eFa 4.0.2 now available!

User avatar
shawniverson
Posts: 3029
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson » 27 Mar 2017 14:00

I see same issue here....troubleshooting....
Version eFa 4.0.2 now available!

User avatar
shawniverson
Posts: 3029
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson » 27 Mar 2017 14:04

Try this one:

Code: Select all

     SecRuleRemoveByID 981173
     SecRuleRemoveByID 981249
Version eFa 4.0.2 now available!

zane93
Posts: 36
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 » 27 Mar 2017 14:10

Working good now thanks!

So here is what I have for the record.

Code: Select all

LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109
    SecRuleRemoveByID 981173
    SecRuleRemoveByID 981249

</IfModule>
<IfModule mod_security2.c>
    # ModSecurity Core Rules Set configuration
	Include modsecurity.d/*.conf
	Include modsecurity.d/activated_rules/*.conf
    
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_MISSING_SEMICOLON}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IP %{MULTIPART_INVALID_PART}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109
    SecRuleRemoveByID 981173
    SecRuleRemoveByID 981249
</IfModule>

Dark-Sider
Posts: 11
Joined: 14 Mar 2016 11:37

Re: 3.0.1.9 permission issues

Post by Dark-Sider » 27 Mar 2017 15:59

Had the same issue, the changes that zane93 applied also worked for me. Maye this should be added in a future release

ramtech
Posts: 54
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech » 29 Mar 2017 01:46

Hi All,
I've had a similar issue but slight variation so thought I'd check in first before making changes.
My issue is if I go to run a report, or even add a filter to a report I get the following 403 ...

Code: Select all

You don't have permission to access /mailscanner/reports.php on this server.
My /var/log/httpd/error_log shows...

Code: Select all

[Wed Mar 29 10:22:53 2017] [error] [client <--LANIP-->] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at ARGS:operator. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: >= found within ARGS:operator: >="] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
At first I thought the fault was intermittent. However I have since discovered that if I am SSH'd in with the same user and sudo'd (e.g. running

Code: Select all

sudo tail -f /var/log/httpd/error_log
) then all works with no issue.

Will the changes above still be applicable in this instance? To me it doesn't look to be the case.

ramtech
Posts: 54
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech » 29 Mar 2017 22:21

Hi All.
Any wisdom offered on the above question would be greatly appreciated. Thanks in advance.
I really do greatly appreciate all the hard work done by the developers and forum members. :clap:

zane93
Posts: 36
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 » 29 Mar 2017 22:46

To me it looks to be the same issue. It should not hurt anything to apply this fix and if it does not work then simple remove the added lines.

ramtech
Posts: 54
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech » 29 Mar 2017 23:15

Thanks @Zane93.
I have applied and restarted MailScanner but problem persists unfortunately.
I should also point out that, I am not having the same problems as described by others in this thread.
At this point I will reverse the changes until I hear further.
Thanks again for the input though.

zane93
Posts: 36
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 » 29 Mar 2017 23:54

Just curious do you have a very secure complex password? The fist fix did not work for me either I think is it related to how complex the pw is but I maybe wrong...

ramtech
Posts: 54
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech » 30 Mar 2017 00:24

hmmm... I don't as a matter of fact. There is a only access to the vm on port 22, 80 or 443 from the LAN segment and then only from 1 IP. Hence, I had been lazy with the password. I will try a more complex one and let you know.

ramtech
Posts: 54
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech » 30 Mar 2017 00:37

Well a ridiculously complex password solves the issue. (thanks Zane. Cheers)
Do you (or anyone else) know what a minimum complexity requirement is now? I could find by trial and error but, some guidance would be appreciated.
Thanks again.

ramtech
Posts: 54
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech » 30 Mar 2017 05:07

Purely empirical (and by no means exhaustive) evidence suggests that a password with 16 characters and no particular other complexity seems to be the magic number. 'though if possible, some direction as to where to locate actual complexity requirements would still be greatly appreciated.

Antiloop
Posts: 11
Joined: 20 Mar 2014 13:03

Re: 3.0.1.9 permission issues

Post by Antiloop » 30 Mar 2017 10:25

adding

Code: Select all

    SecRuleRemoveById 950109
also solved this issue for me

looking at /var/log/httpd/modsec_audit.log is seems to telling me the password is submitted plaintext, perhaps this issue can easily be solved by encoding the password first before submitting, as we also have some weird signs in our password which get caught by the modsec

myusername=antiloop&mypassword=PLAINTEXTPASSWORD&Submit=loginSubmit&token=941e0cbc5fb87ba7b54e3b3a92b71ca0ccfe74912d80a5e513cd94bc475ed4cd

User avatar
shawniverson
Posts: 3029
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson » 09 Apr 2017 16:38

This (and many other) false positives fixed in 3.0.2.0.
Version eFa 4.0.2 now available!

Post Reply