Author Topic: test mod security..???  (Read 560 times)

0 Members and 1 Guest are viewing this topic.

Offline
***
test mod security..???
« on: March 27, 2024, 05:07:44 PM »
Hi,

when I click the test mod security button:  https://prnt.sc/UtFDAi3VYELK

, the result is this: https://prnt.sc/JgSZ1-UxDYNU


Where could the problem be?

Thanks in advance!

BR
Venty

Offline
****
Re: test mod security..???
« Reply #1 on: March 27, 2024, 06:16:51 PM »
Why does your URL show an appended SQL query?

Offline
****
Re: test mod security..???
« Reply #2 on: March 27, 2024, 06:19:16 PM »
What did the logs show?

You should receive a Forbidden if it blocks an attack like it should, and the log should reflect that.

Also Comodo released ruleset version 1.241 that fixes the WooCommerce bug.

Offline
***
Re: test mod security..???
« Reply #3 on: March 28, 2024, 09:28:42 AM »
What did the logs show?

You should receive a Forbidden if it blocks an attack like it should, and the log should reflect that.

Also Comodo released ruleset version 1.241 that fixes the WooCommerce bug.

Hi,

when I click the test mod security button in the access log:

91.238.255.4 - - [28/Mar/2024:11:07:05 +0200] "GET /index.php?SELECT%20*%20FROM%20mysql.users HTTP/1.0" 403 199


in the error log :

[Thu Mar 28 11:07:05.172107 2024] [:error] [pid 60252:tid 139766892787456] [client 91.238.255.4:54650] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgUzOSQ7YW9-nwQzwPEtQwAAANA"], referer: https://hosting.ven.com:2031/

Mail message:

Time: Thu Mar 28 11:15:49 2024 +0200
IP: 91.238.255.4 (BG/Bulgaria/4.bgports.bg)
Failures: 5 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block [LF_MODSEC]

Log entries:

[Thu Mar 28 11:07:05.172107 2024] [:error] [pid 60252:tid 139766892787456] [client 91.238.255.4:54650] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgUzOSQ7YW9-nwQzwPEtQwAAANA"], referer: https://hosting.ven.com:2031/
[Thu Mar 28 11:15:38.619353 2024] [:error] [pid 59712:tid 139766859216640] [client 91.238.255.4:54738] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgU1OnV9zH5PZsJbMuf24AAAAJQ"], referer: https://hosting.ven.com:2031/
[Thu Mar 28 11:15:43.853579 2024] [:error] [pid 60252:tid 139767018678016] [client 91.238.255.4:54740] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgU1PyQ7YW9-nwQzwPEtYgAAAME"], referer: https://hosting.ven.com:2031/
[Thu Mar 28 11:15:45.091700 2024] [:error] [pid 59712:tid 139766850823936] [client 91.238.255.4:54742] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgU1QXV9zH5PZsJbMuf24QAAAJU"], referer: https://hosting.ven.com:2031/
[Thu Mar 28 11:15:45.868421 2024] [:error] [pid 59712:tid 139766842431232] [client 91.238.255.4:54744] [client 91.238.255.4] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/usr/local/apache/modsecurity-cwaf/rules/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||43.105.247.29|F|2"] [data "Matched Data: SELECT * FROM mysql.users found within REQUEST_URI: /index.php?SELECT%20*%20FROM%20mysql.users"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "43.105.247.29"] [uri "/index.php"] [unique_id "ZgU1QXV9zH5PZsJbMuf24gAAAJY"], referer: https://hosting.ven.com:2031/

What do I do?
Thanks in advance!

BR
Venty



Offline
***
Re: test mod security..???
« Reply #4 on: March 28, 2024, 09:32:14 AM »
Why does your URL show an appended SQL query?

Hi,

I don't know why there is such a request, I downloaded the logs, please see the answer below...

Thanks in advance!

BR
Venty

Offline
****
Re: test mod security..???
« Reply #5 on: March 28, 2024, 03:30:08 PM »
From those logs, CWAF is working correctly and blocking the request.

Offline
****
Re: test mod security..???
« Reply #6 on: March 28, 2024, 06:20:13 PM »
The mod_security test is simply a SQL query appended to your server URL, mimicking someone poking at your server with SQL injection attempts. It is blocking it, so it is working as designed & intended. Looks good!