coreruleset: False positives - PrestaShop 1.7.7.3
Description
Iβm trying to save product in PrestaShop 1.7.7.3. I am receiving error 403 and several false positives in log file.
Audit Logs / Triggered Rule Numbers
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9b3b2bc0 [id "932150"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "463"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9b3b2bc0 [id "932150"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "463"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9bc98608 [id "941160"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "199"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9bc71920 [id "941200"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "299"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Warning. Pattern match "\\\\\\\\xbc[^\\\\\\\\xbe>]*[\\\\\\\\xbe>]|<[^\\\\\\\\xbe]*\\\\\\\\xbe" at ARGS:form[step1][description][1]. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: XXX"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152 [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9bc48e98 [id "941350"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "573"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "152"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.1"] [tag "event-correlation"] [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]
Your Environment
- CRS version (e.g., v3.2.0): v3.3.1-rc1 (same on v3.3.0)
- Paranoia level setting: 1
- ModSecurity version (e.g., 2.9.3): 2.9.3
- Web Server and version (e.g., apache 2.4.41): Apache/2.4.38 (Debian)
- Operating System and version: Debian 10
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 19 (10 by maintainers)
Contact me whenever you ready!
Sure. Thank you once again!