3.0.1.9 permission issues

Report bugs and workarounds
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

3.0.1.9 permission issues

Post by zane93 »

When I try to add and entry to the white list in the graylist.

"Move selected entries to whitelist"

"You don't have permission to access /sgwi/connect.php on this server."
full path is /var/www/html/sgwi/connect.php

I have even tried setting connect.php to 0777 and that did not work any suggestions?

EDIT ***I got this part to work find after clearing the browser cache****
When trying to view the permissions on my Administrator account I get the following error.
"Error: unable to validate security token"
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

Resolved or still an issue?
adrian.leigh
Posts: 7
Joined: 27 Mar 2017 10:30

Re: 3.0.1.9 permission issues

Post by adrian.leigh »

Yes still an issue,

I have found in the http logs that Modsecurity access denied code 403 (phase 2) on the checklogin.php , Mulitple URL Encoding detected?

Thanks
Adrian.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

Can you post the complete message from the log?
adrian.leigh
Posts: 7
Joined: 27 Mar 2017 10:30

Re: 3.0.1.9 permission issues

Post by adrian.leigh »

Code: Select all

ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:mypassword. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] 
[code]
ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:mypassword. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] 
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

Ok, problem is the structure of your password, must be a really good one :lol:

Let's add this line to /etc/httpd/conf.d/mod_security.conf above </IfModule>:

Code: Select all

SecRuleRemoveById 950109

Code: Select all

sudo service httpd restart
adrian.leigh
Posts: 7
Joined: 27 Mar 2017 10:30

Re: 3.0.1.9 permission issues

Post by adrian.leigh »

Thanks so much but I don't have /etc/conf.d/httpd/mod_security.conf ?

Adrian.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

Whoops I got path backwards, should be /etc/httpd/conf.d
adrian.leigh
Posts: 7
Joined: 27 Mar 2017 10:30

Re: 3.0.1.9 permission issues

Post by adrian.leigh »

Thanks i found it :)

I had to put the exception in put it in the two locations as I had two <if module> sections, the <IfModule mod_security2.c> was the one that got it working for me again.

thanks so much for your help.
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 »

The mod_security2.so additions did not work for me. I still have the same issue.

Code: Select all

LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109

</IfModule>
<IfModule mod_security2.c>
    # ModSecurity Core Rules Set configuration
	Include modsecurity.d/*.conf
	Include modsecurity.d/activated_rules/*.conf
    
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_MISSING_SEMICOLON}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IP %{MULTIPART_INVALID_PART}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109
</IfModule>
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

I think your thread got hijacked from another issue :think:
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

I see same issue here....troubleshooting....
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

Try this one:

Code: Select all

     SecRuleRemoveByID 981173
     SecRuleRemoveByID 981249
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 »

Working good now thanks!

So here is what I have for the record.

Code: Select all

LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109
    SecRuleRemoveByID 981173
    SecRuleRemoveByID 981249

</IfModule>
<IfModule mod_security2.c>
    # ModSecurity Core Rules Set configuration
	Include modsecurity.d/*.conf
	Include modsecurity.d/activated_rules/*.conf
    
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_MISSING_SEMICOLON}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IP %{MULTIPART_INVALID_PART}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109
    SecRuleRemoveByID 981173
    SecRuleRemoveByID 981249
</IfModule>
Dark-Sider
Posts: 11
Joined: 14 Mar 2016 11:37

Re: 3.0.1.9 permission issues

Post by Dark-Sider »

Had the same issue, the changes that zane93 applied also worked for me. Maye this should be added in a future release
ramtech
Posts: 56
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech »

Hi All,
I've had a similar issue but slight variation so thought I'd check in first before making changes.
My issue is if I go to run a report, or even add a filter to a report I get the following 403 ...

Code: Select all

You don't have permission to access /mailscanner/reports.php on this server.
My /var/log/httpd/error_log shows...

Code: Select all

[Wed Mar 29 10:22:53 2017] [error] [client <--LANIP-->] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at ARGS:operator. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: >= found within ARGS:operator: >="] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
At first I thought the fault was intermittent. However I have since discovered that if I am SSH'd in with the same user and sudo'd (e.g. running

Code: Select all

sudo tail -f /var/log/httpd/error_log
) then all works with no issue.

Will the changes above still be applicable in this instance? To me it doesn't look to be the case.
ramtech
Posts: 56
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech »

Hi All.
Any wisdom offered on the above question would be greatly appreciated. Thanks in advance.
I really do greatly appreciate all the hard work done by the developers and forum members. :clap:
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 »

To me it looks to be the same issue. It should not hurt anything to apply this fix and if it does not work then simple remove the added lines.
ramtech
Posts: 56
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech »

Thanks @Zane93.
I have applied and restarted MailScanner but problem persists unfortunately.
I should also point out that, I am not having the same problems as described by others in this thread.
At this point I will reverse the changes until I hear further.
Thanks again for the input though.
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 »

Just curious do you have a very secure complex password? The fist fix did not work for me either I think is it related to how complex the pw is but I maybe wrong...
ramtech
Posts: 56
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech »

hmmm... I don't as a matter of fact. There is a only access to the vm on port 22, 80 or 443 from the LAN segment and then only from 1 IP. Hence, I had been lazy with the password. I will try a more complex one and let you know.
ramtech
Posts: 56
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech »

Well a ridiculously complex password solves the issue. (thanks Zane. Cheers)
Do you (or anyone else) know what a minimum complexity requirement is now? I could find by trial and error but, some guidance would be appreciated.
Thanks again.
ramtech
Posts: 56
Joined: 20 Sep 2013 01:31

Re: 3.0.1.9 permission issues

Post by ramtech »

Purely empirical (and by no means exhaustive) evidence suggests that a password with 16 characters and no particular other complexity seems to be the magic number. 'though if possible, some direction as to where to locate actual complexity requirements would still be greatly appreciated.
Antiloop
Posts: 11
Joined: 20 Mar 2014 13:03

Re: 3.0.1.9 permission issues

Post by Antiloop »

adding

Code: Select all

    SecRuleRemoveById 950109
also solved this issue for me

looking at /var/log/httpd/modsec_audit.log is seems to telling me the password is submitted plaintext, perhaps this issue can easily be solved by encoding the password first before submitting, as we also have some weird signs in our password which get caught by the modsec

myusername=antiloop&mypassword=PLAINTEXTPASSWORD&Submit=loginSubmit&token=941e0cbc5fb87ba7b54e3b3a92b71ca0ccfe74912d80a5e513cd94bc475ed4cd
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

This (and many other) false positives fixed in 3.0.2.0.
Post Reply