3.0.1.9 permission issues
3.0.1.9 permission issues
When I try to add and entry to the white list in the graylist.
"Move selected entries to whitelist"
"You don't have permission to access /sgwi/connect.php on this server."
full path is /var/www/html/sgwi/connect.php
I have even tried setting connect.php to 0777 and that did not work any suggestions?
EDIT ***I got this part to work find after clearing the browser cache****
When trying to view the permissions on my Administrator account I get the following error.
"Error: unable to validate security token"
"Move selected entries to whitelist"
"You don't have permission to access /sgwi/connect.php on this server."
full path is /var/www/html/sgwi/connect.php
I have even tried setting connect.php to 0777 and that did not work any suggestions?
EDIT ***I got this part to work find after clearing the browser cache****
When trying to view the permissions on my Administrator account I get the following error.
"Error: unable to validate security token"
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
Resolved or still an issue?
-
- Posts: 7
- Joined: 27 Mar 2017 10:30
Re: 3.0.1.9 permission issues
Yes still an issue,
I have found in the http logs that Modsecurity access denied code 403 (phase 2) on the checklogin.php , Mulitple URL Encoding detected?
Thanks
Adrian.
I have found in the http logs that Modsecurity access denied code 403 (phase 2) on the checklogin.php , Mulitple URL Encoding detected?
Thanks
Adrian.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
Can you post the complete message from the log?
-
- Posts: 7
- Joined: 27 Mar 2017 10:30
Re: 3.0.1.9 permission issues
Code: Select all
ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:mypassword. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"]
[code]
ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\%((?!$|\\\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:mypassword. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"]
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
Ok, problem is the structure of your password, must be a really good one
Let's add this line to /etc/httpd/conf.d/mod_security.conf above </IfModule>:
Let's add this line to /etc/httpd/conf.d/mod_security.conf above </IfModule>:
Code: Select all
SecRuleRemoveById 950109
Code: Select all
sudo service httpd restart
-
- Posts: 7
- Joined: 27 Mar 2017 10:30
Re: 3.0.1.9 permission issues
Thanks so much but I don't have /etc/conf.d/httpd/mod_security.conf ?
Adrian.
Adrian.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
Whoops I got path backwards, should be /etc/httpd/conf.d
-
- Posts: 7
- Joined: 27 Mar 2017 10:30
Re: 3.0.1.9 permission issues
Thanks i found it
I had to put the exception in put it in the two locations as I had two <if module> sections, the <IfModule mod_security2.c> was the one that got it working for me again.
thanks so much for your help.
I had to put the exception in put it in the two locations as I had two <if module> sections, the <IfModule mod_security2.c> was the one that got it working for me again.
thanks so much for your help.
Re: 3.0.1.9 permission issues
The mod_security2.so additions did not work for me. I still have the same issue.
Code: Select all
LoadModule security2_module modules/mod_security2.so
<IfModule !mod_unique_id.c>
LoadModule unique_id_module modules/mod_unique_id.so
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
</IfModule>
<IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
</IfModule>
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
I think your thread got hijacked from another issue
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
I see same issue here....troubleshooting....
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
Try this one:
Code: Select all
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
Re: 3.0.1.9 permission issues
Working good now thanks!
So here is what I have for the record.
So here is what I have for the record.
Code: Select all
LoadModule security2_module modules/mod_security2.so
<IfModule !mod_unique_id.c>
LoadModule unique_id_module modules/mod_unique_id.so
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
</IfModule>
<IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
</IfModule>
-
- Posts: 11
- Joined: 14 Mar 2016 11:37
Re: 3.0.1.9 permission issues
Had the same issue, the changes that zane93 applied also worked for me. Maye this should be added in a future release
Re: 3.0.1.9 permission issues
Hi All,
I've had a similar issue but slight variation so thought I'd check in first before making changes.
My issue is if I go to run a report, or even add a filter to a report I get the following 403 ...
My /var/log/httpd/error_log shows...
At first I thought the fault was intermittent. However I have since discovered that if I am SSH'd in with the same user and sudo'd (e.g. running ) then all works with no issue.
Will the changes above still be applicable in this instance? To me it doesn't look to be the case.
I've had a similar issue but slight variation so thought I'd check in first before making changes.
My issue is if I go to run a report, or even add a filter to a report I get the following 403 ...
Code: Select all
You don't have permission to access /mailscanner/reports.php on this server.
Code: Select all
[Wed Mar 29 10:22:53 2017] [error] [client <--LANIP-->] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at ARGS:operator. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: >= found within ARGS:operator: >="] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Code: Select all
sudo tail -f /var/log/httpd/error_log
Will the changes above still be applicable in this instance? To me it doesn't look to be the case.
Re: 3.0.1.9 permission issues
Hi All.
Any wisdom offered on the above question would be greatly appreciated. Thanks in advance.
I really do greatly appreciate all the hard work done by the developers and forum members.
Any wisdom offered on the above question would be greatly appreciated. Thanks in advance.
I really do greatly appreciate all the hard work done by the developers and forum members.
Re: 3.0.1.9 permission issues
To me it looks to be the same issue. It should not hurt anything to apply this fix and if it does not work then simple remove the added lines.
Re: 3.0.1.9 permission issues
Thanks @Zane93.
I have applied and restarted MailScanner but problem persists unfortunately.
I should also point out that, I am not having the same problems as described by others in this thread.
At this point I will reverse the changes until I hear further.
Thanks again for the input though.
I have applied and restarted MailScanner but problem persists unfortunately.
I should also point out that, I am not having the same problems as described by others in this thread.
At this point I will reverse the changes until I hear further.
Thanks again for the input though.
Re: 3.0.1.9 permission issues
Just curious do you have a very secure complex password? The fist fix did not work for me either I think is it related to how complex the pw is but I maybe wrong...
Re: 3.0.1.9 permission issues
hmmm... I don't as a matter of fact. There is a only access to the vm on port 22, 80 or 443 from the LAN segment and then only from 1 IP. Hence, I had been lazy with the password. I will try a more complex one and let you know.
Re: 3.0.1.9 permission issues
Well a ridiculously complex password solves the issue. (thanks Zane. Cheers)
Do you (or anyone else) know what a minimum complexity requirement is now? I could find by trial and error but, some guidance would be appreciated.
Thanks again.
Do you (or anyone else) know what a minimum complexity requirement is now? I could find by trial and error but, some guidance would be appreciated.
Thanks again.
Re: 3.0.1.9 permission issues
Purely empirical (and by no means exhaustive) evidence suggests that a password with 16 characters and no particular other complexity seems to be the magic number. 'though if possible, some direction as to where to locate actual complexity requirements would still be greatly appreciated.
Re: 3.0.1.9 permission issues
adding also solved this issue for me
looking at /var/log/httpd/modsec_audit.log is seems to telling me the password is submitted plaintext, perhaps this issue can easily be solved by encoding the password first before submitting, as we also have some weird signs in our password which get caught by the modsec
myusername=antiloop&mypassword=PLAINTEXTPASSWORD&Submit=loginSubmit&token=941e0cbc5fb87ba7b54e3b3a92b71ca0ccfe74912d80a5e513cd94bc475ed4cd
Code: Select all
SecRuleRemoveById 950109
looking at /var/log/httpd/modsec_audit.log is seems to telling me the password is submitted plaintext, perhaps this issue can easily be solved by encoding the password first before submitting, as we also have some weird signs in our password which get caught by the modsec
myusername=antiloop&mypassword=PLAINTEXTPASSWORD&Submit=loginSubmit&token=941e0cbc5fb87ba7b54e3b3a92b71ca0ccfe74912d80a5e513cd94bc475ed4cd
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
This (and many other) false positives fixed in 3.0.2.0.