efa-project.org

After today's update to 3.0.2.1 - can no longer add this domain name to blacklist:

@updatedsleeponlineinfo.top

Only noticed this one so far - others can add normally. Not even sure why. The error message that comes up:

Forbidden
You don't have permission to access /mailscanner/lists.php on this server.

Noticed the same. It's Modsecurity

Detects concatenated basic SQL injection and SQLLFI attempts

There is quite a list that will have the same error: union|select|create|rename|truncate|load|alter|delete|update|insert|desc

Try to add: and you see the same error.

Possible solution? disable [id "981247] ?

If you try to add the domain without @?

I am also not able to add to blacklists or white lists, I do not see any error on Mailwatch interface - the form submits fine with no ModSecurity errors in httpd error_log however the newly added entire does not appear.

I am running 3.0.2.1.

Yeah, i have the same problem when trying to release a message:
You don't have permission to access /mailscanner/detail.php on this server.

Seems that version 3.0.1.9 and forward seriously did not go through any quality testing before release.

This is almost a real showstopper.

I added the mentioned id 981247 into the modsecurity config and restarted httpd, but it didn't help.
Does anyone know how to fix this? Our customers are using black- whitelisting very often.

Thanks for the implemented dropdown of allowed domains to be entered.

Folks, I'm going to need more information if we want to resolve these issues.

I apologize for the hasty release, we are dealing with security issues, necessitating a rapid release. Unfortunately, it did not go as smoothly as planned.

Please answer the following:

Can you provide one or more samples of B/W list/Release email entries that are not working?

This will greatly help to resolve these issues and find out what the root cause is. I'm sure it is a combination of the validation rules and modsecurity that is the culprit.

Fixes released in 3.0.2.2 for several known issues here.

Please post if you continue to have issues on 3.0.2.2.

Still receiving forbidden messages when trying to move an item in the greylist to whitelist

You don't have permission to access /sgwi/connect.php on this server.

All secrules that have been mentioned to add in the previous posts have been added
SecRuleRemoveByID 981173
SecRuleRemoveByID 981249
SecRuleRemoveById 950109
SecRuleRemoveById 981172

Also the same when clicking the add to blacklist button when viewing a quarantine item:
You don't have permission to access /mailscanner/lists.php on this server.

These errors still occur after updating to 3.0.2.2 clearing browser cache, the whole 9 yards.

northwindit wrote: 01 May 2017 14:55 Still receiving forbidden messages when trying to move an item in the greylist to whitelist

Thank you for the feedback.

Please examine logs in /var/log/httpd error logs while performing these tasks and post the IDs of the mod_security messages shown there you are getting so that we can squash them for you and everybody

These are the lines that jump out at me:

ssl_access_log
10.1.10.116 - - [01/May/2017:11:32:39 -0400] "POST /sgwi/connect.php HTTP/1.1" 200 58876
10.1.10.116 - - [01/May/2017:11:32:40 -0400] "GET /sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc HTTP/1.1" 403 337

10.1.10.116 - - [01/May/2017:11:34:32 -0400] "GET /mailscanner/grey.php HTTP/1.1" 200 6109
10.1.10.116 - - [01/May/2017:11:34:32 -0400] "GET /sgwi/index.php HTTP/1.1" 200 4717
10.1.10.116 - - [01/May/2017:11:34:33 -0400] "POST /sgwi/connect.php HTTP/1.1" 200 60057
10.1.10.116 - - [01/May/2017:11:34:39 -0400] "POST /sgwi/connect.php?action=act HTTP/1.1" 403 218


In ssl_error_log

[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] PHP Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'No index used in query/prepared statement SELECT sender_name, sender_domain, src, rcpt, first_seen FROM co$
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 4). Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf$
[Mon May 01 11:32:40 2017] [error] [client 10.1.10.116] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981$
[Mon May 01 11:34:32 2017] [error] [client 10.1.10.116] PHP Notice: A session had already been started - ignoring session_start() in /var/www/html/mailscanner/grey.php on line 4, referer: https://subdomain.domain.com/mailscanne$
[Mon May 01 11:34:32 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:33 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:33 2017] [error] [client 10.1.10.116] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer:$
[Mon May 01 11:34:39 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|y$

northwindit wrote: 01 May 2017 15:37 [Mon May 01 11:34:39 2017] [error] [client 10.1.10.116] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|y$

What is the id identified on this line? This line looks truncated.

"(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\\\\.\\\\.sysdatabases|ysql\\\\.db)|s(?:ys(?:\\\\.database_name|aux)|chema(?:\\\\W*\\\\(|_name)|qlite($
..." at ARGS:chk[]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "84"] [id "981320"] [rev "2"] [msg "SQL Injection Attack: Common DB Names Detected"] [data "Matched Data:
northwind found within ARGS:chk[]: delivery@@pa1call.net@@209.187.110@@email@domain.com"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "subdomain.domain.com"] [uri "/sgwi/connect.php"] [unique_id "WQdNpWBZPYQAAAy0DKQAAAAF"]

I have managed to get rid of all the errors by commenting out two lines in:
/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf

# -=[ Detect DB Names ]=-
#
#SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:m(?:s(?:ysaccessobjects|ysaces|ysobjects|ysqueries|ysrelationships|ysaccessstorage|ysaccessxml|ysmodules|ysmodules2|db)|aster\.\.sysd$
# "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack: Common DB Names Detected',id:'981320',logdata:'Matched Data: %{TX.0} f$

While i am sure this opens the system to attacks, i can now release messages, add items to blacklist, and manage the greylist queue without issues.

If i had to venture a guess without really understanding the depths of modsecurity, i would say that it is seeing the database name, as part of the url line in the email addresses as the database name is part of our domain name.
northwind found within ARGS:chk[]: delivery@@pa1call.net@@209.187.110@@user@northwinddomain.com"]

I should mention that just adding that ID to the list of excludes did not actually stop it from running. It only worked after commenting out those lines. Once i commented out those lines i did not proceed in investigating any further as it was on a production server.