coreruleset: WordPress /wp-admin/site-health.php triggers

Description

Trying to open /wp-admin/site-health.php triggers a 403 despite being a legit request; despite the WP exception rules being enabled in /etc/modsecurity/crs/crs-setup.conf:

SecAction  "id:900130,  phase:1,  nolog,  pass,  t:none,  setvar:tx.crs_exclusions_wordpress=1"

Audit Logs / Triggered Rule Numbers

Message: Warning. Pattern match "(?i)(?:System\\.Data\\.OleDb\\.OleDbException|\\[Microsoft\\]\\[ODBC SQL Server Driver\\]|\\[Macromedia\\]\\[SQLServer JDBC Driver\\]|\\[SqlException|System\\.Data\\.SqlClient\\.SqlException|Unclosed quotation mark after the character string|'80040e14' ..." at RESPONSE_BODY. [file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"] [line "340"] [id "951220"] [msg "mssql SQL Information Leakage"] [data "Matched Data: SQL server is up to date\x22,\x22status\x22:\x22good\x22,\x22badge\x22:{\x22label\x22:\x22Performance\x22,\x22color\x22:\x22blue\x22},\x22description\x22:\x22<p>The SQL server is a required piece of software for the database WordPress uses to store all your site&#8217;s content and settings.<\x5c/p>\x22,\x22actions\x22:\x22<p><a href=\x5c\x22https:\x5c/\x5c/wordpress.org\x5c/about\x5c/requirements\x5c/\x5c\x22 target=\x5c\x22_blank\x5c\x22 rel=\x5c\x22noopener\x5c\x22>Learn more about what ..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "applic
Message: Warning. Pattern match "(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" at RESPONSE_BODY. [file "/usr/share/modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "72"] [id "953110"] [msg "PHP source code leakage"] [data "Matched Data: session_start found within RESPONSE_BODY: <!DOCTYPE html>\x0a<html class=\x22wp-toolbar\x22\x0a\x09lang=\x22en-GB\x22>\x0a<head>\x0a<meta http-equiv=\x22Content-Type\x22 content=\x22text/html; charset=UTF-8\x22 />\x0a\x09<title>Site Health Status &lsaquo; mysite.com &#8212; WordPress</title>\x0a<script type=\x22text/javascript\x22>\x0aaddLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload..."] [severity "ERROR"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "
Message: Access denied with code 403 (phase 4). Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "76"] [id "959100"] [msg "Outbound Anomaly Score Exceeded (Total Score: 9)"] [ver "OWASP_CRS/3.3.0"] [tag "anomaly-evaluation"]
Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "102"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 9): individual paranoia level scores: 9, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 2a0b:f4c2:1::1] ModSecurity: Warning. Pattern match "(?i)(?:System\\\\\\\\.Data\\\\\\\\.OleDb\\\\\\\\.OleDbException|\\\\\\\\[Microsoft\\\\\\\\]\\\\\\\\[ODBC SQL Server Driver\\\\\\\\]|\\\\\\\\[Macromedia\\\\\\\\]\\\\\\\\[SQLServer JDBC Driver\\\\\\\\]|\\\\\\\\[SqlException|System\\\\\\\\.Data\\\\\\\\.SqlClient\\\\\\\\.SqlException|Unclosed quotation mark after the character string|'80040e14' ..." at RESPONSE_BODY. [file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"] [line "340"] [id "951220"] [msg "mssql SQL Information Leakage"] [data "Matched Data: SQL server is up to date\\\\x22,\\\\x22status\\\\x22:\\\\x22good\\\\x22,\\\\x22badge\\\\x22:{\\\\x22label\\\\x22:\\\\x22Performance\\\\x22,\\\\x22color\\\\x22:\\\\x22blue\\\\x22},\\\\x22description\\\\x22:\\\\x22<p>The SQL server is a required piece of software for the database WordPress uses to store all your site&#8217;s content and settings.<\\\\x5c/p>\\\\x22,\\\\x22actions\\\\x22:\\\\x22<p><a href=\\\\x5c\\\\x22https:\\\\x5c/\\\\x5c/wordpress.org\\\\x5c/about\\\\x5c/requirements\\\\x5c/\\\\x5c\\\\x22 target=\\\\x5c\\\\x22_blank\\\\x5c\\\\x22 rel=\\\\x5c\\\\x22noopener\\\\x5c\\\\x22>Learn more about what ..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "applic [hostname "mysite.com"] [uri "/wp-admin/site-health.php"] [unique_id "YNsA-Eye9KCGHwEDyWp6iAAAAAw"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 2a0b:f4c2:1::1] ModSecurity: Warning. Pattern match "(?:\\\\\\\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\\\\\\\$_(?:(?:pos|ge)t|session))\\\\\\\\b" at RESPONSE_BODY. [file "/usr/share/modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "72"] [id "953110"] [msg "PHP source code leakage"] [data "Matched Data: session_start found within RESPONSE_BODY: <!DOCTYPE html>\\\\x0a<html class=\\\\x22wp-toolbar\\\\x22\\\\x0a\\\\x09lang=\\\\x22en-GB\\\\x22>\\\\x0a<head>\\\\x0a<meta http-equiv=\\\\x22Content-Type\\\\x22 content=\\\\x22text/html; charset=UTF-8\\\\x22 />\\\\x0a\\\\x09<title>Site Health Status &lsaquo; mysite.com &#8212; WordPress</title>\\\\x0a<script type=\\\\x22text/javascript\\\\x22>\\\\x0aaddLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload..."] [severity "ERROR"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag " [hostname "mysite.com"] [uri "/wp-admin/site-health.php"] [unique_id "YNsA-Eye9KCGHwEDyWp6iAAAAAw"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 2a0b:f4c2:1::1] ModSecurity: Access denied with code 403 (phase 4). Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "76"] [id "959100"] [msg "Outbound Anomaly Score Exceeded (Total Score: 9)"] [ver "OWASP_CRS/3.3.0"] [tag "anomaly-evaluation"] [hostname "mysite.com"] [uri "/wp-admin/site-health.php"] [unique_id "YNsA-Eye9KCGHwEDyWp6iAAAAAw"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 2a0b:f4c2:1::1] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "102"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 9): individual paranoia level scores: 9, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"] [hostname "mysite.com"] [uri "/wp-admin/site-health.php"] [unique_id "YNsA-Eye9KCGHwEDyWp6iAAAAAw"]
Action: Intercepted (phase 4)
Apache-Handler: application/x-httpd-php
Stopwatch: 1624965372200929 181340 (- - -)
Stopwatch2: 1624965372200929 181340; combined=40209, p1=3533, p2=8491, p3=103, p4=27833, p5=249, sr=320, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.3.0.
Server: Apache
Engine-Mode: "ENABLED"

Your Environment

  • CRS version (e.g., v3.2.0): v3.3.0
  • Paranoia level setting: default
  • ModSecurity version (e.g., 2.9.3): v2.9.3
  • Web Server and version (e.g., apache 2.4.41): 2.4.38 (Debian)
  • Operating System and version: Debian 10.10 (buster)

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 40 (24 by maintainers)

Most upvoted comments

Ok, I got it working with the following:

SecRule REQUEST_FILENAME "@endsWith /wp-admin/site-health.php" \
    "id:9002840,\
    phase:4,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=951220;TX:sql_error_match,\
    ctl:ruleRemoveTargetById=953110;RESPONSE_BODY,\
    ver:'OWASP_CRS/3.4.0-dev'"
+3
mackov83 on Aug 25, 2021

@cmschlenke It will be a part of next release (4.0) but in a form of a plugin, see: https://github.com/coreruleset/wordpress-rule-exclusions-plugin

+2
azurit on May 12, 2022

@azurit Thank you for the helpful, quick response and also your work on this project.

+1
cmschlenke on May 12, 2022

@dennismayr Thanks for getting back to us! Can you be so kind and test it also with this little change? phase:1,\

+1
azurit on Sep 26, 2021

Ok, I got it working with the following:

SecRule REQUEST_FILENAME "@endsWith /wp-admin/site-health.php" \
    "id:9002840,\
    phase:4,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=951220;TX:sql_error_match,\
    ctl:ruleRemoveTargetById=953110;RESPONSE_BODY,\
    ver:'OWASP_CRS/3.4.0-dev'"

This did the trick for me!

+1
stradicat on Sep 26, 2021

I have actually just had a similar problem with a customer. The output of their Site Health page included session_start() which triggered a PHP leakage rule.

Depending on the plugins used, this page may echo various “suspicious” strings about your PHP and database setup. I think it is quite safe to exclude this in our WordPress package, as the explicit purpose of the Site Health page is to report details on the PHP and MySQL installation.

Could you try adding the following rule to your configuration to see if this fixes your problem?

SecRule REQUEST_FILENAME "@endsWith /wp-admin/site-health.php" \
    "id:9002830,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveById=951220,\
    ctl:ruleRemoveById=953110,\
    ver:'OWASP_CRS/3.4.0-dev'"
+1
lifeforms on Jun 29, 2021
Read more comments on GitHub
← coreruleset: Useful information in error.log is overwritten by request data
ftw: py.test ... --ruledir leads to "unrecognized arguments: --ruledir" →