Author Topic: Mod security Problem  (Read 12491 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Mod security Problem
« on: April 04, 2017, 12:18:57 AM »
Good night, now I have a problem with mod security OPENCART, for the token I always change when adding a product or email and it blocks the page with 403, I did what they say in the installation but it again blocks the page and generates another id , Please wait for your help.

Offline
*****
Re: Mod security Problem
« Reply #1 on: April 04, 2017, 05:37:15 AM »
check the apache error log and add the rule ID to disabled rules : http://wiki.centos-webpanel.com/mod_security-for-cwp

Offline
*
Re: Mod security Problem
« Reply #2 on: April 04, 2017, 10:50:31 AM »
Thanks for replying, what happens is that opencart works with token every time a token change is made mod security changes and blocks the page, I add the code in mos security unlock it, I add a product again and it locks again. I am doing tests to see how I do if I solve it I inform.

Offline
*
Re: Mod security Problem
« Reply #3 on: April 04, 2017, 11:49:15 AM »
The problem is that when I try to inject in the database of my OPENCART mod security detects it as an attack and OPENCART works with random token always changes the id to be inserted in mod security
Mod security log attachment

[Tue Apr 04 07:28:21.239112 2017] [:error] [pid 26775:tid 139839557129984] [client 190.206.63.203:56908] [client 190.206.63.203] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at ARGS:google_analytics_code. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within ARGS:google_analytics_code: <script>\\x0d\\x0a  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){\\x0d\\x0a  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),\\x0d\\x0a  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)\\x0d\\x0a  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');\\x0d\\x0a\\x0d\\x0a  ga('create', 'UA-96537384-1', 'auto');\\x0d\\x0a  ga('send', 'pagevi [hostname "www.solodvdfull.com.ve"] [uri "/tienda/admin/index.php"] [unique_id "WOODVX8AAAEAAGiXuXUAAADA"], referer: https://www.solodvdfull.com.ve/tienda/admin/index.php?route=extension/analytics/google_analytics&token=iI0zE3kZKqDxfJYyiYIFSqQm8eAVYf39&store_id=0

Closed session and returned to open, now see the message that the security token changes again

[Tue Apr 04 07:41:23.639685 2017] [:error] [pid 27577:tid 140466452403968] [client 190.206.63.203:57046] [client 190.206.63.203] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at ARGS:google_analytics_code. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within ARGS:google_analytics_code: <script>\\x0d\\x0a  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){\\x0d\\x0a  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),\\x0d\\x0a  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)\\x0d\\x0a  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');\\x0d\\x0a\\x0d\\x0a  ga('create', 'UA-96537384-1', 'auto');\\x0d\\x0a  ga('send', 'pagevi [hostname "www.solodvdfull.com.ve"] [uri "/tienda/admin/index.php"] [unique_id "WOOGY38AAAEAAGu5VT4AAABJ"], referer: https://www.solodvdfull.com.ve/tienda/admin/index.php?route=extension/analytics/google_analytics&token=usqA3PUepbuQwPK5sitsxCLjSRwlqLZN&store_id=0

And try to include the user in the

-rw-r--r-- 1 root root 40 Apr  4 07:41 /usr/local/apache/userdata/solodvdf/solodvdfull.com.ve/modsec.conf

and nothing

Offline
*
Re: Mod security Problem
« Reply #4 on: April 04, 2017, 11:55:54 AM »
Right now token different id

[Tue Apr 04 07:52:37.371216 2017] [:error] [pid 29625:tid 139999005628160] [client 190.206.63.203:57118] [client 190.206.63.203] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:\\\\b(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4| ..." at ARGS:google_analytics_code. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "125"] [id "950001"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: Date( found within ARGS:google_analytics_code: <script>\\x0d\\x0a  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){\\x0d\\x0a  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),\\x0d\\x0a  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)\\x0d\\x0a  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');\\x0d\\x0a\\x0d\\x0a  ga('create', 'UA-96537384-1', 'auto');\\x0d\\x0a  ga('send',  [hostname "www.solodvdfull.com.ve"] [uri "/tienda/admin/index.php"] [unique_id "WOOJBX8AAAEAAHO5j5wAAABJ"], referer: https://www.solodvdfull.com.ve/tienda/admin/index.php?route=extension/analytics/google_analytics&token=usqA3PUepbuQwPK5sitsxCLjSRwlqLZN&store_id=0

Offline
*
Re: Mod security Problem
« Reply #5 on: April 04, 2017, 11:59:58 AM »
Well I will disable it until I find the way to include that this user and this diminuio are allowed to include in the database information.