ResourceSpace 应用程序和 mod_security 的问题
Issue with ResourceSpace app and mod_security
我有一个带有 ResourceSpace 的项目(它是一个旧项目,实际上仅用作存档,因为我们从这个应用程序继续前进),有时需要访问它来下载一些图像。
我们现在遇到这个问题,用户无法下载,因为我们收到以下错误:
[Mon Feb 14 13:30:15.118594 2022] [:error] [pid 3078:tid 140588028520192] [client 12.34.56.78:38860] [client 12.34.56.78] ModSecurity: Warning. Pattern match "(?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s[\(,@\'\"\s] (?:[\w'\"\./]+/|[\\'\"\^]\w[\\'\"\^] :.\\|[\^\.\w '\"/\\] \\)?[\"\^](?:s[\"\^] (?:y[\"\^]s[\"\^] (?:t[\"\^]e[\"\^] m[\"\^](?:p[\"\^] r[\"\^]o[\"\^] p[\"\^]*e ..." at ARGS:url. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "294"] [id "932115"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: &sort found within ARGS:url: https://jlam.com/rs/pages/download_progress.php?ref=18275&search=%21collection1887494+&order_by=date&offset=0&restypes=&starsearch=&archive=&per_page=120&default_sort_direction=DESC&sort=DESC&context=Root&k=&curpos=&size=&ext=jpg"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "jlam.com"] [uri "/rs/pages/terms.php"] [unique_id "YgpZZ1rt9JAgpUSzT3i4UwAAAAc"], referer: https://jlam.com/rs/pages/view.php?search=%21collection1887494+&k=&modal=&display=thumbs&order_by=date&offset=0&per_page=120&archive=&sort=DESC&restypes=&recentdaylimit=&foredit=&noreload=true&access=&ref=18275
[Mon Feb 14 13:30:15.127329 2022] [:error] [pid 3078:tid 140588028520192] [client 12.34.56.78:38860] [client 12.34.56.78] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "jlam.com"] [uri "/rs/pages/terms.php"] [unique_id "YgpZZ1rt9JAgpUSzT3i4UwAAAAc"], referer: https://jlam.com/rs/pages/view.php?search=%21collection1887494+&k=&modal=&display=thumbs&order_by=date&offset=0&per_page=120&archive=&sort=DESC&restypes=&recentdaylimit=&foredit=&noreload=true&access=&ref=18275
一位同事在“Google 群组”上发布了此消息,因为这是他们唯一的“论坛”,但我们的回复为零。
我不确定这是否是误报,或者是否确实存在应考虑的问题?谢谢。
核心规则集值班开发人员在这里。确认:当用户采取合法操作(如您所述进行下载)时,出现的是错误日志条目吗?以及您的错误消息中的 URL:
https://jlam.com/rs/pages/download_progress.php?ref=18275
看起来合法?如果是这样,那么您的直觉是正确的:那确实是误报!核心规则集规则 932115 匹配错误。
需要消除误报 才能使给定的 Web 应用程序通过 WAF 完全可用。我们在官方文档中详细介绍了如何执行此操作,您可以在此处找到:https://coreruleset.org/docs/configuring/false_positives_tuning/
让我们看看您的示例中的确切问题:
[data "Matched Data: &sort found within ARGS:url: https://jlam.com/rs/...&sort=DESC...
规则 932115 查找 Windows 命令,其中之一是 sort,因此这条规则匹配。
如果您很高兴这确实是误报并且此处使用 sort 是合法的(在上下文中看起来是无辜的),那么您可以尝试应用如下规则排除:
# CRS Rule Exclusion: 932115 - Remote Command Execution: Windows Command
# Injection
#
# Prevent "sort=DESC" from setting off this rule when it appears in the URL
# argument.
SecRule REQUEST_URI "@beginsWith /rs/pages/terms.php" \
"id:1000,\
phase:1,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=932115;ARGS:url"
此规则排除将从规则 932115 中排除参数 url,仅针对开始于 /rs/pages/terms.php 的位置。如果此误报也出现在其他位置,那么您需要考虑到这一点,但根据您提供的错误日志,此规则排除 (RE) 应该可以解决问题。
我有一个带有 ResourceSpace 的项目(它是一个旧项目,实际上仅用作存档,因为我们从这个应用程序继续前进),有时需要访问它来下载一些图像。
我们现在遇到这个问题,用户无法下载,因为我们收到以下错误:
[Mon Feb 14 13:30:15.118594 2022] [:error] [pid 3078:tid 140588028520192] [client 12.34.56.78:38860] [client 12.34.56.78] ModSecurity: Warning. Pattern match "(?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s[\(,@\'\"\s] (?:[\w'\"\./]+/|[\\'\"\^]\w[\\'\"\^] :.\\|[\^\.\w '\"/\\] \\)?[\"\^](?:s[\"\^] (?:y[\"\^]s[\"\^] (?:t[\"\^]e[\"\^] m[\"\^](?:p[\"\^] r[\"\^]o[\"\^] p[\"\^]*e ..." at ARGS:url. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "294"] [id "932115"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: &sort found within ARGS:url: https://jlam.com/rs/pages/download_progress.php?ref=18275&search=%21collection1887494+&order_by=date&offset=0&restypes=&starsearch=&archive=&per_page=120&default_sort_direction=DESC&sort=DESC&context=Root&k=&curpos=&size=&ext=jpg"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "jlam.com"] [uri "/rs/pages/terms.php"] [unique_id "YgpZZ1rt9JAgpUSzT3i4UwAAAAc"], referer: https://jlam.com/rs/pages/view.php?search=%21collection1887494+&k=&modal=&display=thumbs&order_by=date&offset=0&per_page=120&archive=&sort=DESC&restypes=&recentdaylimit=&foredit=&noreload=true&access=&ref=18275
[Mon Feb 14 13:30:15.127329 2022] [:error] [pid 3078:tid 140588028520192] [client 12.34.56.78:38860] [client 12.34.56.78] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "jlam.com"] [uri "/rs/pages/terms.php"] [unique_id "YgpZZ1rt9JAgpUSzT3i4UwAAAAc"], referer: https://jlam.com/rs/pages/view.php?search=%21collection1887494+&k=&modal=&display=thumbs&order_by=date&offset=0&per_page=120&archive=&sort=DESC&restypes=&recentdaylimit=&foredit=&noreload=true&access=&ref=18275
一位同事在“Google 群组”上发布了此消息,因为这是他们唯一的“论坛”,但我们的回复为零。 我不确定这是否是误报,或者是否确实存在应考虑的问题?谢谢。
核心规则集值班开发人员在这里。确认:当用户采取合法操作(如您所述进行下载)时,出现的是错误日志条目吗?以及您的错误消息中的 URL:
https://jlam.com/rs/pages/download_progress.php?ref=18275
看起来合法?如果是这样,那么您的直觉是正确的:那确实是误报!核心规则集规则 932115 匹配错误。
需要消除误报 才能使给定的 Web 应用程序通过 WAF 完全可用。我们在官方文档中详细介绍了如何执行此操作,您可以在此处找到:https://coreruleset.org/docs/configuring/false_positives_tuning/
让我们看看您的示例中的确切问题:
[data "Matched Data: &sort found within ARGS:url: https://jlam.com/rs/...&sort=DESC...
规则 932115 查找 Windows 命令,其中之一是 sort,因此这条规则匹配。
如果您很高兴这确实是误报并且此处使用 sort 是合法的(在上下文中看起来是无辜的),那么您可以尝试应用如下规则排除:
# CRS Rule Exclusion: 932115 - Remote Command Execution: Windows Command
# Injection
#
# Prevent "sort=DESC" from setting off this rule when it appears in the URL
# argument.
SecRule REQUEST_URI "@beginsWith /rs/pages/terms.php" \
"id:1000,\
phase:1,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=932115;ARGS:url"
此规则排除将从规则 932115 中排除参数 url,仅针对开始于 /rs/pages/terms.php 的位置。如果此误报也出现在其他位置,那么您需要考虑到这一点,但根据您提供的错误日志,此规则排除 (RE) 应该可以解决问题。