coreruleset: False positives - PrestaShop 1.7.7.3

Description

I’m trying to save product in PrestaShop 1.7.7.3. I am receiving error 403 and several false positives in log file.

Audit Logs / Triggered Rule Numbers

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9b3b2bc0 [id "932150"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "463"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9b3b2bc0 [id "932150"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "463"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9bc98608 [id "941160"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "199"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9bc71920 [id "941200"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "299"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Warning. Pattern match "\\\\\\\\xbc[^\\\\\\\\xbe>]*[\\\\\\\\xbe>]|<[^\\\\\\\\xbe]*\\\\\\\\xbe" at ARGS:form[step1][description][1]. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: XXX"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152 [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Rule 7f0f9bc48e98 [id "941350"][file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "573"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "152"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]

Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 46.29.20.225] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/coreruleset-3.3.1-rc1/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.1"] [tag "event-correlation"] [hostname "domain.com"] [uri "/adminXXX/index.php/sell/catalog/products/206"] [unique_id "YHa1hxtUeu@2oJrdNR6ohQAAAAM"]

Your Environment

  • CRS version (e.g., v3.2.0): v3.3.1-rc1 (same on v3.3.0)
  • Paranoia level setting: 1
  • ModSecurity version (e.g., 2.9.3): 2.9.3
  • Web Server and version (e.g., apache 2.4.41): Apache/2.4.38 (Debian)
  • Operating System and version: Debian 10

Confirmation

[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 19 (10 by maintainers)

Most upvoted comments

You are welcome πŸ˜ƒ

@azurit it would be great oppurtunity for me to test your exclusion rules for PrestaShop. πŸ˜ƒ

I will contact you when it’s ready for testing.

Contact me whenever you ready!

Can we close this issue?

Sure. Thank you once again!

+3
szymonkrygier on Apr 15, 2021
Read more comments on GitHub
← coreruleset: False positive when charset=utf-8\x0d\x0a in content-type header
coreruleset: Inconsistent representation of the backslash character in search patterns →