Forbidden error on fresh install

General eFa discussion
Post Reply
r31griffo
Posts: 19
Joined: 31 Mar 2017 05:09

Forbidden error on fresh install

Post by r31griffo »

G'day everyone,

After looking around for a suitable filter to put in front of our Exchange server I've settled on EFA.
I've attempted using both a clean Centos6 build and install and also importing the vmware image into our Xenserver but have had similar problems with each.

I can log in to the web interface and open each link, but when I try and perform some actions I receive a "forbidden" error, eg when attempting to remove a whitelisted domain from the Greylist section I get:

Code: Select all

Forbidden:
You don't have permission to access /sgwi/awl.php on this server.

output from: /var/log/httpd/modsec_audit.log

Code: Select all

--579f384b-B--
POST /sgwi/awl.php?mode=domains&action=del_selection HTTP/1.1
Host: mydomain.com.au
Connection: keep-alive
Content-Length: 66
Cache-Control: max-age=0
Origin: https://mydomain.com.au
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://mydomain.com.au/sgwi/awl.php?mode=domains
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=rl92iivbm38q2su48t41fthpk6

--579f384b-C--
chk%5B%5D=noname%40%40domain.com.au%40%40x.x.x.x
--579f384b-F--
HTTP/1.1 403 Forbidden
Content-Length: 214
Connection: close
Content-Type: text/html; charset=iso-8859-1

--579f384b-E--

--579f384b-H--
Message: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:chk[].[file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"][msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: @ found within ARGS:chk[]: noname@@domain.com.au@@x.x.x.x"]
[ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1490947463109443 1922 (- - -)
Stopwatch2: 1490947463109443 1922; combined=1417, p1=185, p2=1207, p3=0, p4=0, p5=25, sr=37, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"

--579f384b-Z--

output from: /var/log/httpd/ssl_access_log

Code: Select all

192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET / HTTP/1.1" 200 155
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/ HTTP/1.1" 302 -
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /favicon.ico HTTP/1.1" 200 1150
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/status.php HTTP/1.1" 302 -
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/login.php HTTP/1.1" 200 1418
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/style.css HTTP/1.1" 200 15933
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/images/mailwatch-logo.png HTTP/1.1" 200 15657
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.35.50 - - [31/Mar/2017:19:04:07 +1100] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.35.50 - - [31/Mar/2017:19:04:07 +1100] "GET /mailscanner/status.php HTTP/1.1" 200 5906
192.168.35.50 - - [31/Mar/2017:19:04:10 +1100] "GET /mailscanner/grey.php HTTP/1.1" 200 6001
192.168.35.50 - - [31/Mar/2017:19:04:10 +1100] "GET /sgwi/index.php HTTP/1.1" 200 4716
192.168.35.50 - - [31/Mar/2017:19:04:10 +1100] "GET /sgwi/main.css HTTP/1.1" 200 1045
192.168.35.50 - - [31/Mar/2017:19:04:15 +1100] "POST /sgwi/awl.php?mode=domains HTTP/1.1" 200 4744
192.168.35.50 - - [31/Mar/2017:19:04:15 +1100] "GET /sgwi/main.css HTTP/1.1" 200 1045
192.168.35.50 - - [31/Mar/2017:19:04:23 +1100] "POST /sgwi/awl.php?mode=domains&action=del_selection HTTP/1.1" 403 214

output from: /var/log/httpd/ssl_access_log

Code: Select all

[Fri Mar 31 19:04:15 2017] [error] [client 192.168.35.50] PHP Warning:  mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer: https://mydomain.com.au/sgwi/index.php
[Fri Mar 31 19:04:23 2017] [error] [client 192.168.35.50] ModSecurity: Access denied with code 403 (phase 2).Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:chk[]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"][msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: @ found within ARGS:chk[]: oname@@domain.com.au@@x.x.x.x"] [ver "OWASP_CRS/2.2.6"][maturity "9"] [accuracy "8"] [hostname "mydomain.com.au"] [uri "/sgwi/awl.php"] [unique_id "WN4Nh8CoIwcAABU5BWYAAAAH"]
I hope this makes sense to some of you, let me know if you need more detail.

Cheers,
Brad
Top
henk
Posts: 518
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:
Contact henk

Re: Forbidden error on fresh install

Post by henk »

Hi Brad,

You could try to disable: [id "981173"]

in /etc/httpd/conf.d/mod_security.conf

SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security

SecRuleRemoveById 960017
SecRuleRemoveById 950908

SecRuleRemoveById 981173 <================= disable [id "981173"]

restart the service and monitor the logs
And take a look at: viewtopic.php?f=13&t=2283
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Top
r31griffo
Posts: 19
Joined: 31 Mar 2017 05:09

Re: Forbidden error on fresh install

Post by r31griffo »

Hi Henk,
Thanks for the quick response, I've done a few tests and it looks like it's working now.

I first tried adding "SecRuleRemoveById 981173" in both sections prior to </IfModule> but this didn't seem to have an effect. I re-read the thread you suggested and added the following to each section of that file above </IfModule>and it fixed the issue:

Code: Select all

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109
    SecRuleRemoveByID 981173
    SecRuleRemoveByID 981249
It's entirely possible I messed something up during the install (twice using 2 different install methods), but I'm curious if efa might be broken out of the box at the moment...

Cheers,
Brad
Top
r31griffo
Posts: 19
Joined: 31 Mar 2017 05:09

Re: Forbidden error on fresh install

Post by r31griffo »

I've come past another issue while looking around the interface.

Tools and Links > MailScanner Configuration > view_any_rule_file and I would get the same forbidden error and logs showed more modsecurity errors...added the ID's to the file which now looks like:

Code: Select all

    SecRuleRemoveById 960017
    SecRuleRemoveById 950908
    SecRuleRemoveById 950109
    SecRuleRemoveByID 981173
    SecRuleRemoveByID 981249
    SecRuleRemoveByID 950005
    SecRuleRemoveByID 970901
    SecRuleRemoveByID 981205
On the same page, attempting to open anything in /usr/share/MailScanner/ I get this error:

Code: Select all

Directory traversal attempt blocked.
Unfortunately I'm a little stuck on this one, the httpd logs don't really show anything obvious
Top
User avatar
shawniverson
Posts: 3649
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:
Contact shawniverson

Re: Forbidden error on fresh install

Post by shawniverson »

I see this as well. Working on it...
Top
r31griffo
Posts: 19
Joined: 31 Mar 2017 05:09

Re: Forbidden error on fresh install

Post by r31griffo »

Hi everyone,

The "Directory Traversal" problem I'm experiencing appears to be caused by an if statement in msrule.php. There's a variable defined that checks for the MailScanner conf directory (/etc/MailScanner) and if the file isn't inside that directory path the result is to display "Directory traversal attempt blocked."

I've made a quick modification to keep me going for now, I believe it maintains the level of security it is trying to impose.
I've pasted the modification below to help highlight the cause of the problem.

Starting at line 42 of msrule.php

Code: Select all

    // limit accessible files to the ones in MailScanner etc and reports directories
// the following 2 additional lines are a quick mod to allow viewing the Reports dir in via ./msconfig.php
    $MailScannerDir = false;
    $MailscannerReportDir = realpath(get_conf_var('%report-dir%'));

    $MailscannerEtcDir = realpath(get_conf_var('%etc-dir%'));
    if (!isset($_GET['file'])) {
        $FilePath = false;
    } else {
        $FilePath = realpath(sanitizeInput($_GET['file']));
    }

// following if statement allows multiple paths to be checked (defined above)
   if ((strpos($FilePath, $MailscannerEtcDir) || strpos($FilePath, $MailscannerReportDir)) == 0) {
      $MailScannerDir = true;
   }

//  following line modified to allow multiple exclusions to the directory traversal rule
//    if ($FilePath === false || strpos($FilePath, $MailscannerEtcDir) !== 0) {
    if ($FilePath === false || $MailScannerDir === false) {
        //Directory Traversal
        echo "Directory traversal attempt blocked.\n";
Cheers,
Brad
Top
Post Reply

Return to “Discussion”