3.0.2.1 - Can't add a particular domain to blacklist

Report bugs and workarounds
Post Reply
maxkmv
Posts: 52
Joined: 28 Apr 2015 14:40

3.0.2.1 - Can't add a particular domain to blacklist

Post by maxkmv »

After today's update to 3.0.2.1 - can no longer add this domain name to blacklist:

@updatedsleeponlineinfo.top

Only noticed this one so far - others can add normally. Not even sure why. The error message that comes up:

Forbidden
You don't have permission to access /mailscanner/lists.php on this server.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by henk »

Noticed the same. It's Modsecurity :doh:
Detects concatenated basic SQL injection and SQLLFI attempts
There is quite a list that will have the same error: union|select|create|rename|truncate|load|alter|delete|update|insert|desc

Try to add:

Code: Select all

@selectdsleeponlineinfo.top
and you see the same error.

Possible solution? disable [id "981247] ?


Code: Select all

ModSecurity: Access denied with code 403 (phase 2). 
Pattern match "(?i:(?:[\\\\d\\\\W]\\\\s+as\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\w]+\\\\s*?from)|(?:^[\\\\W\\\\d]+\\\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\\\s+ ..." at ARGS:from.
 [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "254"] [id "981247"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: @update found within ARGS:from: @updatedsleeponlineinfo.top"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQLI"] [hostname "tata.titi.xxx"] [uri "/mailscanner/lists.php"] [unique_id "----------------------------"]
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
BliXem
Posts: 80
Joined: 27 Mar 2017 19:17

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by BliXem »

If you try to add the domain without @?
ashweb
Posts: 13
Joined: 05 Feb 2016 12:17

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by ashweb »

I am also not able to add to blacklists or white lists, I do not see any error on Mailwatch interface - the form submits fine with no ModSecurity errors in httpd error_log however the newly added entire does not appear.

I am running 3.0.2.1.
northwindit
Posts: 14
Joined: 11 Apr 2016 18:32

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by northwindit »

Yeah, i have the same problem when trying to release a message:
You don't have permission to access /mailscanner/detail.php on this server.

Seems that version 3.0.1.9 and forward seriously did not go through any quality testing before release.
xenos1983
Posts: 6
Joined: 14 Feb 2017 08:30

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by xenos1983 »

This is almost a real showstopper.

I added the mentioned id 981247 into the modsecurity config and restarted httpd, but it didn't help.
Does anyone know how to fix this? Our customers are using black- whitelisting very often.

Thanks for the implemented dropdown of allowed domains to be entered.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by shawniverson »

Folks, I'm going to need more information if we want to resolve these issues.

I apologize for the hasty release, we are dealing with security issues, necessitating a rapid release. Unfortunately, it did not go as smoothly as planned.

Please answer the following:

Can you provide one or more samples of B/W list/Release email entries that are not working?

This will greatly help to resolve these issues and find out what the root cause is. I'm sure it is a combination of the validation rules and modsecurity that is the culprit.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by shawniverson »

Fixes released in 3.0.2.2 for several known issues here.

Please post if you continue to have issues on 3.0.2.2.
northwindit
Posts: 14
Joined: 11 Apr 2016 18:32

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by northwindit »

Still receiving forbidden messages when trying to move an item in the greylist to whitelist

You don't have permission to access /sgwi/connect.php on this server.

All secrules that have been mentioned to add in the previous posts have been added
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
SecRuleRemoveById 950109
SecRuleRemoveById 981172

Also the same when clicking the add to blacklist button when viewing a quarantine item:
You don't have permission to access /mailscanner/lists.php on this server.

These errors still occur after updating to 3.0.2.2 clearing browser cache, the whole 9 yards.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by shawniverson »

northwindit wrote: 01 May 2017 14:55 Still receiving forbidden messages when trying to move an item in the greylist to whitelist
Thank you for the feedback.

Please examine logs in /var/log/httpd error logs while performing these tasks and post the IDs of the mod_security messages shown there you are getting so that we can squash them for you and everybody
northwindit
Posts: 14
Joined: 11 Apr 2016 18:32

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by northwindit »

These are the lines that jump out at me:

ssl_access_log
10.1.10.116 - - [01/May/2017:11:32:39 -0400] "POST /sgwi/connect.php HTTP/1.1" 200 58876
10.1.10.116 - - [01/May/2017:11:32:40 -0400] "GET /sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc HTTP/1.1" 403 337

10.1.10.116 - - [01/May/2017:11:34:32 -0400] "GET /mailscanner/grey.php HTTP/1.1" 200 6109
10.1.10.116 - - [01/May/2017:11:34:32 -0400] "GET /sgwi/index.php HTTP/1.1" 200 4717
10.1.10.116 - - [01/May/2017:11:34:33 -0400] "POST /sgwi/connect.php HTTP/1.1" 200 60057
10.1.10.116 - - [01/May/2017:11:34:39 -0400] "POST /sgwi/connect.php?action=act HTTP/1.1" 403 218


In ssl_error_log

[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] PHP Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'No index used in query/prepared statement SELECT sender_name, sender_domain, src, rcpt, first_seen FROM co$
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf$
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981$
[Mon May 01 11:34:32 2017] [error] [client 10.1.10.116] PHP Notice: A session had already been started - ignoring session_start() in /var/www/html/mailscanner/grey.php on line 4, referer: https://subdomain.domain.com/mailscanne$
[Mon May 01 11:34:32 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:33 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:33 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:39 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|y$
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by shawniverson »

northwindit wrote: 01 May 2017 15:37 [Mon May 01 11:34:39 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|y$
What is the id identified on this line? This line looks truncated.
northwindit
Posts: 14
Joined: 11 Apr 2016 18:32

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by northwindit »

"(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\\\.\\\\.sysdatabases|ysql\\\\.db)|s(?:ys(?:\\\\.database_name|aux)|chema(?:\\\\W*\\\\(|_name)|qlite($
..." at ARGS:chk[]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "84"] [id "981320"] [rev "2"] [msg "SQL Injection Attack: Common DB Names Detected"] [data "Matched Data:
northwind found within ARGS:chk[]: delivery@@pa1call.net@@209.187.110@@email@domain.com"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "subdomain.domain.com"] [uri "/sgwi/connect.php"] [unique_id "WQdNpWBZPYQAAAy0DKQAAAAF"]
northwindit
Posts: 14
Joined: 11 Apr 2016 18:32

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by northwindit »

I have managed to get rid of all the errors by commenting out two lines in:
/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf

# -=[ Detect DB Names ]=-
#
#SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysd$
# "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:'981320',logdata:'Matched Data: %{TX.0} f$

While i am sure this opens the system to attacks, i can now release messages, add items to blacklist, and manage the greylist queue without issues.

If i had to venture a guess without really understanding the depths of modsecurity, i would say that it is seeing the database name, as part of the url line in the email addresses as the database name is part of our domain name.
northwind found within ARGS:chk[]: delivery@@pa1call.net@@209.187.110@@user@northwinddomain.com"]
Last edited by northwindit on 01 May 2017 19:44, edited 1 time in total.
northwindit
Posts: 14
Joined: 11 Apr 2016 18:32

Re: 3.0.2.1 - Can't add a particular domain to blacklist

Post by northwindit »

I should mention that just adding that ID to the list of excludes did not actually stop it from running. It only worked after commenting out those lines. Once i commented out those lines i did not proceed in investigating any further as it was on a production server.
Post Reply