Page 1 of 2
3.0.1.9 permission issues
Posted: 27 Mar 2017 02:55
by zane93
When I try to add and entry to the white list in the graylist.
"Move selected entries to whitelist"
"You don't have permission to access /sgwi/connect.php on this server."
full path is /var/www/html/sgwi/connect.php
I have even tried setting connect.php to 0777 and that did not work any suggestions?
EDIT ***I got this part to work find after clearing the browser cache****
When trying to view the permissions on my Administrator account I get the following error.
"Error: unable to validate security token"
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 11:35
by shawniverson
Resolved or still an issue?
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 12:20
by adrian.leigh
Yes still an issue,
I have found in the http logs that Modsecurity access denied code 403 (phase 2) on the checklogin.php , Mulitple URL Encoding detected?
Thanks
Adrian.
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 12:21
by shawniverson
Can you post the complete message from the log?
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 12:30
by adrian.leigh
Code: Select all
ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:mypassword. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"]
[code]
ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:mypassword. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"]
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 12:37
by shawniverson
Ok, problem is the structure of your password, must be a really good one
Let's add this line to /etc/httpd/conf.d/mod_security.conf above </IfModule>:
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 12:45
by adrian.leigh
Thanks so much but I don't have /etc/conf.d/httpd/mod_security.conf ?
Adrian.
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 12:46
by shawniverson
Whoops I got path backwards, should be /etc/httpd/conf.d
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 12:56
by adrian.leigh
Thanks i found it
I had to put the exception in put it in the two locations as I had two <if module> sections, the <IfModule mod_security2.c> was the one that got it working for me again.
thanks so much for your help.
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 13:57
by zane93
The mod_security2.so additions did not work for me. I still have the same issue.
Code: Select all
LoadModule security2_module modules/mod_security2.so
<IfModule !mod_unique_id.c>
LoadModule unique_id_module modules/mod_unique_id.so
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
</IfModule>
<IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
</IfModule>
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 13:58
by shawniverson
I think your thread got hijacked from another issue
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 14:00
by shawniverson
I see same issue here....troubleshooting....
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 14:04
by shawniverson
Try this one:
Code: Select all
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 14:10
by zane93
Working good now thanks!
So here is what I have for the record.
Code: Select all
LoadModule security2_module modules/mod_security2.so
<IfModule !mod_unique_id.c>
LoadModule unique_id_module modules/mod_unique_id.so
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
</IfModule>
<IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
</IfModule>
Re: 3.0.1.9 permission issues
Posted: 27 Mar 2017 15:59
by Dark-Sider
Had the same issue, the changes that zane93 applied also worked for me. Maye this should be added in a future release
Re: 3.0.1.9 permission issues
Posted: 29 Mar 2017 01:46
by ramtech
Hi All,
I've had a similar issue but slight variation so thought I'd check in first before making changes.
My issue is if I go to run a report, or even add a filter to a report I get the following 403 ...
Code: Select all
You don't have permission to access /mailscanner/reports.php on this server.
My /var/log/httpd/error_log shows...
Code: Select all
[Wed Mar 29 10:22:53 2017] [error] [client <--LANIP-->] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at ARGS:operator. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: >= found within ARGS:operator: >="] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
At first I thought the fault was intermittent. However I have since discovered that if I am SSH'd in with the same user and sudo'd (e.g. running
Code: Select all
sudo tail -f /var/log/httpd/error_log
) then all works with no issue.
Will the changes above still be applicable in this instance? To me it doesn't look to be the case.
Re: 3.0.1.9 permission issues
Posted: 29 Mar 2017 22:21
by ramtech
Hi All.
Any wisdom offered on the above question would be greatly appreciated. Thanks in advance.
I really do greatly appreciate all the hard work done by the developers and forum members.
Re: 3.0.1.9 permission issues
Posted: 29 Mar 2017 22:46
by zane93
To me it looks to be the same issue. It should not hurt anything to apply this fix and if it does not work then simple remove the added lines.
Re: 3.0.1.9 permission issues
Posted: 29 Mar 2017 23:15
by ramtech
Thanks @Zane93.
I have applied and restarted MailScanner but problem persists unfortunately.
I should also point out that, I am not having the same problems as described by others in this thread.
At this point I will reverse the changes until I hear further.
Thanks again for the input though.
Re: 3.0.1.9 permission issues
Posted: 29 Mar 2017 23:54
by zane93
Just curious do you have a very secure complex password? The fist fix did not work for me either I think is it related to how complex the pw is but I maybe wrong...
Re: 3.0.1.9 permission issues
Posted: 30 Mar 2017 00:24
by ramtech
hmmm... I don't as a matter of fact. There is a only access to the vm on port 22, 80 or 443 from the LAN segment and then only from 1 IP. Hence, I had been lazy with the password. I will try a more complex one and let you know.
Re: 3.0.1.9 permission issues
Posted: 30 Mar 2017 00:37
by ramtech
Well a ridiculously complex password solves the issue. (thanks Zane. Cheers)
Do you (or anyone else) know what a minimum complexity requirement is now? I could find by trial and error but, some guidance would be appreciated.
Thanks again.
Re: 3.0.1.9 permission issues
Posted: 30 Mar 2017 05:07
by ramtech
Purely empirical (and by no means exhaustive) evidence suggests that a password with 16 characters and no particular other complexity seems to be the magic number. 'though if possible, some direction as to where to locate actual complexity requirements would still be greatly appreciated.
Re: 3.0.1.9 permission issues
Posted: 30 Mar 2017 10:25
by Antiloop
adding
also solved this issue for me
looking at /var/log/httpd/modsec_audit.log is seems to telling me the password is submitted plaintext, perhaps this issue can easily be solved by encoding the password first before submitting, as we also have some weird signs in our password which get caught by the modsec
myusername=antiloop&mypassword=PLAINTEXTPASSWORD&Submit=loginSubmit&token=941e0cbc5fb87ba7b54e3b3a92b71ca0ccfe74912d80a5e513cd94bc475ed4cd
Re: 3.0.1.9 permission issues
Posted: 09 Apr 2017 16:38
by shawniverson
This (and many other) false positives fixed in 3.0.2.0.