3.0.2.1 - Can't add a particular domain to blacklist
3.0.2.1 - Can't add a particular domain to blacklist
After today's update to 3.0.2.1 - can no longer add this domain name to blacklist:
@updatedsleeponlineinfo.top
Only noticed this one so far - others can add normally. Not even sure why. The error message that comes up:
Forbidden
You don't have permission to access /mailscanner/lists.php on this server.
@updatedsleeponlineinfo.top
Only noticed this one so far - others can add normally. Not even sure why. The error message that comes up:
Forbidden
You don't have permission to access /mailscanner/lists.php on this server.
Re: 3.0.2.1 - Can't add a particular domain to blacklist
Noticed the same. It's Modsecurity
Try to add: and you see the same error.
Possible solution? disable [id "981247] ?
There is quite a list that will have the same error: union|select|create|rename|truncate|load|alter|delete|update|insert|descDetects concatenated basic SQL injection and SQLLFI attempts
Try to add:
Code: Select all
@selectdsleeponlineinfo.top
Possible solution? disable [id "981247] ?
Code: Select all
ModSecurity: Access denied with code 403 (phase 2).
Pattern match "(?i:(?:[\\\\d\\\\W]\\\\s+as\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\w]+\\\\s*?from)|(?:^[\\\\W\\\\d]+\\\\s*?(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\\\\s+ ..." at ARGS:from.
[file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "254"] [id "981247"] [msg "Detects concatenated basic SQL injection and SQLLFI attempts"] [data "Matched Data: @update found within ARGS:from: @updatedsleeponlineinfo.top"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQLI"] [hostname "tata.titi.xxx"] [uri "/mailscanner/lists.php"] [unique_id "----------------------------"]
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: 3.0.2.1 - Can't add a particular domain to blacklist
If you try to add the domain without @?
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.2.1 - Can't add a particular domain to blacklist
I am also not able to add to blacklists or white lists, I do not see any error on Mailwatch interface - the form submits fine with no ModSecurity errors in httpd error_log however the newly added entire does not appear.
I am running 3.0.2.1.
I am running 3.0.2.1.
-
- Posts: 14
- Joined: 11 Apr 2016 18:32
Re: 3.0.2.1 - Can't add a particular domain to blacklist
Yeah, i have the same problem when trying to release a message:
You don't have permission to access /mailscanner/detail.php on this server.
Seems that version 3.0.1.9 and forward seriously did not go through any quality testing before release.
You don't have permission to access /mailscanner/detail.php on this server.
Seems that version 3.0.1.9 and forward seriously did not go through any quality testing before release.
Re: 3.0.2.1 - Can't add a particular domain to blacklist
This is almost a real showstopper.
I added the mentioned id 981247 into the modsecurity config and restarted httpd, but it didn't help.
Does anyone know how to fix this? Our customers are using black- whitelisting very often.
Thanks for the implemented dropdown of allowed domains to be entered.
I added the mentioned id 981247 into the modsecurity config and restarted httpd, but it didn't help.
Does anyone know how to fix this? Our customers are using black- whitelisting very often.
Thanks for the implemented dropdown of allowed domains to be entered.
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.2.1 - Can't add a particular domain to blacklist
Folks, I'm going to need more information if we want to resolve these issues.
I apologize for the hasty release, we are dealing with security issues, necessitating a rapid release. Unfortunately, it did not go as smoothly as planned.
Please answer the following:
Can you provide one or more samples of B/W list/Release email entries that are not working?
This will greatly help to resolve these issues and find out what the root cause is. I'm sure it is a combination of the validation rules and modsecurity that is the culprit.
I apologize for the hasty release, we are dealing with security issues, necessitating a rapid release. Unfortunately, it did not go as smoothly as planned.
Please answer the following:
Can you provide one or more samples of B/W list/Release email entries that are not working?
This will greatly help to resolve these issues and find out what the root cause is. I'm sure it is a combination of the validation rules and modsecurity that is the culprit.
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.2.1 - Can't add a particular domain to blacklist
Fixes released in 3.0.2.2 for several known issues here.
Please post if you continue to have issues on 3.0.2.2.
Please post if you continue to have issues on 3.0.2.2.
-
- Posts: 14
- Joined: 11 Apr 2016 18:32
Re: 3.0.2.1 - Can't add a particular domain to blacklist
Still receiving forbidden messages when trying to move an item in the greylist to whitelist
You don't have permission to access /sgwi/connect.php on this server.
All secrules that have been mentioned to add in the previous posts have been added
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
SecRuleRemoveById 950109
SecRuleRemoveById 981172
Also the same when clicking the add to blacklist button when viewing a quarantine item:
You don't have permission to access /mailscanner/lists.php on this server.
These errors still occur after updating to 3.0.2.2 clearing browser cache, the whole 9 yards.
You don't have permission to access /sgwi/connect.php on this server.
All secrules that have been mentioned to add in the previous posts have been added
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
SecRuleRemoveById 950109
SecRuleRemoveById 981172
Also the same when clicking the add to blacklist button when viewing a quarantine item:
You don't have permission to access /mailscanner/lists.php on this server.
These errors still occur after updating to 3.0.2.2 clearing browser cache, the whole 9 yards.
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.2.1 - Can't add a particular domain to blacklist
Thank you for the feedback.northwindit wrote: ↑01 May 2017 14:55 Still receiving forbidden messages when trying to move an item in the greylist to whitelist
Please examine logs in /var/log/httpd error logs while performing these tasks and post the IDs of the mod_security messages shown there you are getting so that we can squash them for you and everybody
-
- Posts: 14
- Joined: 11 Apr 2016 18:32
Re: 3.0.2.1 - Can't add a particular domain to blacklist
These are the lines that jump out at me:
ssl_access_log
10.1.10.116 - - [01/May/2017:11:32:39 -0400] "POST /sgwi/connect.php HTTP/1.1" 200 58876
10.1.10.116 - - [01/May/2017:11:32:40 -0400] "GET /sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc HTTP/1.1" 403 337
10.1.10.116 - - [01/May/2017:11:34:32 -0400] "GET /mailscanner/grey.php HTTP/1.1" 200 6109
10.1.10.116 - - [01/May/2017:11:34:32 -0400] "GET /sgwi/index.php HTTP/1.1" 200 4717
10.1.10.116 - - [01/May/2017:11:34:33 -0400] "POST /sgwi/connect.php HTTP/1.1" 200 60057
10.1.10.116 - - [01/May/2017:11:34:39 -0400] "POST /sgwi/connect.php?action=act HTTP/1.1" 403 218
In ssl_error_log
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] PHP Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'No index used in query/prepared statement SELECT sender_name, sender_domain, src, rcpt, first_seen FROM co$
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf$
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981$
[Mon May 01 11:34:32 2017] [error] [client 10.1.10.116] PHP Notice: A session had already been started - ignoring session_start() in /var/www/html/mailscanner/grey.php on line 4, referer: https://subdomain.domain.com/mailscanne$
[Mon May 01 11:34:32 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:33 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:33 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:39 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|y$
ssl_access_log
10.1.10.116 - - [01/May/2017:11:32:39 -0400] "POST /sgwi/connect.php HTTP/1.1" 200 58876
10.1.10.116 - - [01/May/2017:11:32:40 -0400] "GET /sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc HTTP/1.1" 403 337
10.1.10.116 - - [01/May/2017:11:34:32 -0400] "GET /mailscanner/grey.php HTTP/1.1" 200 6109
10.1.10.116 - - [01/May/2017:11:34:32 -0400] "GET /sgwi/index.php HTTP/1.1" 200 4717
10.1.10.116 - - [01/May/2017:11:34:33 -0400] "POST /sgwi/connect.php HTTP/1.1" 200 60057
10.1.10.116 - - [01/May/2017:11:34:39 -0400] "POST /sgwi/connect.php?action=act HTTP/1.1" 403 218
In ssl_error_log
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] PHP Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'No index used in query/prepared statement SELECT sender_name, sender_domain, src, rcpt, first_seen FROM co$
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf$
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981$
[Mon May 01 11:34:32 2017] [error] [client 10.1.10.116] PHP Notice: A session had already been started - ignoring session_start() in /var/www/html/mailscanner/grey.php on line 4, referer: https://subdomain.domain.com/mailscanne$
[Mon May 01 11:34:32 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:33 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:33 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:39 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|y$
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.2.1 - Can't add a particular domain to blacklist
What is the id identified on this line? This line looks truncated.northwindit wrote: ↑01 May 2017 15:37 [Mon May 01 11:34:39 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|y$
-
- Posts: 14
- Joined: 11 Apr 2016 18:32
Re: 3.0.2.1 - Can't add a particular domain to blacklist
"(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\\\.\\\\.sysdatabases|ysql\\\\.db)|s(?:ys(?:\\\\.database_name|aux)|chema(?:\\\\W*\\\\(|_name)|qlite($
..." at ARGS:chk[]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "84"] [id "981320"] [rev "2"] [msg "SQL Injection Attack: Common DB Names Detected"] [data "Matched Data:
northwind found within ARGS:chk[]: delivery@@pa1call.net@@209.187.110@@email@domain.com"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "subdomain.domain.com"] [uri "/sgwi/connect.php"] [unique_id "WQdNpWBZPYQAAAy0DKQAAAAF"]
..." at ARGS:chk[]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "84"] [id "981320"] [rev "2"] [msg "SQL Injection Attack: Common DB Names Detected"] [data "Matched Data:
northwind found within ARGS:chk[]: delivery@@pa1call.net@@209.187.110@@email@domain.com"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "subdomain.domain.com"] [uri "/sgwi/connect.php"] [unique_id "WQdNpWBZPYQAAAy0DKQAAAAF"]
-
- Posts: 14
- Joined: 11 Apr 2016 18:32
Re: 3.0.2.1 - Can't add a particular domain to blacklist
I have managed to get rid of all the errors by commenting out two lines in:
/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
# -=[ Detect DB Names ]=-
#
#SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysd$
# "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:'981320',logdata:'Matched Data: %{TX.0} f$
While i am sure this opens the system to attacks, i can now release messages, add items to blacklist, and manage the greylist queue without issues.
If i had to venture a guess without really understanding the depths of modsecurity, i would say that it is seeing the database name, as part of the url line in the email addresses as the database name is part of our domain name.
northwind found within ARGS:chk[]: delivery@@pa1call.net@@209.187.110@@user@northwinddomain.com"]
/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
# -=[ Detect DB Names ]=-
#
#SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysd$
# "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:'981320',logdata:'Matched Data: %{TX.0} f$
While i am sure this opens the system to attacks, i can now release messages, add items to blacklist, and manage the greylist queue without issues.
If i had to venture a guess without really understanding the depths of modsecurity, i would say that it is seeing the database name, as part of the url line in the email addresses as the database name is part of our domain name.
northwind found within ARGS:chk[]: delivery@@pa1call.net@@209.187.110@@user@northwinddomain.com"]
Last edited by northwindit on 01 May 2017 19:44, edited 1 time in total.
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
-
- Posts: 14
- Joined: 11 Apr 2016 18:32
Re: 3.0.2.1 - Can't add a particular domain to blacklist
I should mention that just adding that ID to the list of excludes did not actually stop it from running. It only worked after commenting out those lines. Once i commented out those lines i did not proceed in investigating any further as it was on a production server.