coreruleset: Problem with exclusion rules and ruleRemoveTargetByTag
_Issue originally created by user j0k2r on date 2019-06-03 11:39:16. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1444._
Hi guys,
I use OWASP CRS to protect a WordPress application, and I noticed some suspicious behavor (or I misunderstand how exclusion rules work).
For example, the request:
POST /wp-login.php HTTP/1.1
Accept: '*/*'
Content-Length: '124'
Content-Type: application/x-www-form-urlencoded
Host: example.fr
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
log=abc&redirect_to=https%3A%2F%2Fexample.fr%2Fwp-admin%2F&wp-submit=log+In&testcookie=1&rememberme=forever&pwd=abc%21%40%23
is blocked by the rule 942100, caused by pwd=abc%21%40%23:
[155955490319.192434] [/wp-login.php] [9] Target value: "abc!@#" (Variable: ARGS:pwd)
[155955490319.192434] [/wp-login.php] [4] detected SQLi using libinjection with fingerprint 'novc' at: 'abc!@#'
[155955490319.192434] [/wp-login.php] [7] Added DetectSQLi match TX.0: novc
[155955490319.192434] [/wp-login.php] [9] Matched vars updated.
[155955490319.192434] [/wp-login.php] [4] Running [independent] (non-disruptive) action: setvar
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:anomaly_score_pl1 with value: 5
[155955490319.192434] [/wp-login.php] [4] Running [independent] (non-disruptive) action: setvar
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:sql_injection_score with value: 5
[155955490319.192434] [/wp-login.php] [4] Running [independent] (non-disruptive) action: setvar
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:msg with value: SQL Injection Attack Detected via libinjection
[155955490319.192434] [/wp-login.php] [4] Running [independent] (non-disruptive) action: setvar
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:942100-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-ARGS:pwd with value: abc!@#
But since I enabled WordPress exclusion rules, this should not be trigggered (exclusion rule 9002100):
[155955490319.192434] [/wp-login.php] [8] Saving variable: TX:crs_exclusions_wordpress with value: 1
The exclusion rule (9002100) “ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd” , should prevent 942100 to be trigggered.
PS: When I explicitly set “CRS” tag in rule 942100 (tag:‘CRS’), it works like charm.
Environment
Modsecurity V3/master c7fe50e CRS version v3.1.0
Confirmation
[X] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Seems to be related to: #1419
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 15
User j0k2r commented on date 2019-06-04 08:46:06:
Hi theMiddleBlue,
Same problem, it works when I explicitly specify the target rule:
But not with the range ID:
User dune73 commented on date 2019-06-03 13:51:29:
Adding it to tonight’s agenda.
User theMiddleBlue commented on date 2019-06-03 13:25:10:
yes, this patch https://github.com/SpiderLabs/ModSecurity/pull/2032 fixes only the problem described here https://github.com/SpiderLabs/ModSecurity/issues/1960.
Uhm sorry: I missed this:
I’ve done some test, and you’re right. I can confirm that this is a different bug on v3… 😞 My test:
the request
curl -v 'http://localhost/?foo=bar&z=xxx'is blocked anyway. Just by addingtag:'CRS'on the rule1000it works as expected…Testing it on v2, it works by matching
CRSinside the tag string (as expected):I’m going to open an issue to ModSecurity and reopen this for keep track of this bug.