Issue WAF does not switch off designated security rules

[frg62]

Hello,

Server config :
- ‪Debian 7.11‬
- Plesk 12.5.30 Update #68
- MySQL 5.6.37-1debian7
- WAF using Atomic Basic ModSecurity, with daily updates, and Tradeoff configuration
Completely up-to-date at this time (Plesk and apt-get upgrade)

(If you need more info, just ask.)

One one of the websites, it is impossible to update a WP page,as it gives the following error:
ModSecurity: Warning. Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_582ad5afda4b6][12][field_582ad63fda4b9]" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "386"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] [hostname "www.equipespopulaires.be"] [uri "/wp-admin/admin.php"] [unique_id "WXWoXF73tHEAABlwFpEAAAAJ"]

Seeing that message, I switched off rule 340465, by inserting it in the "Security rule IDs" panel of the "Switch off security rules" section.

But that changes nothing.

The only way to modify the page, is to temporary disable the WAF, or to put it in detection mode, where it then continues to report the problem...

Anyone as any idea on what is going wrong?

Regards,
Francois

 

[frg62]

Anyone?...

 

[IgorG]

I think this problem is addressed in the following KB - Website is not available with enabled ModSecurity: 403 Forbidden. Does this solve your issue?

 

[frg62]

Hello Igor,

Thanks a lot, this is exactly my problem.
But I could only solve it, by disabling the WAF on the concerned website.

The code seems to be the source of the problem, I have warned the website owner (I have no direct contact with his developers).

 

[kamtec1]

Seeing that message, I switched off rule 340465, by inserting it in the "Security rule IDs" panel of the "Switch off security rules" section.

Did you tried to switch off rule id 340465 on the server level and not per domain in Tools & Settings>> Security >> Web Application Firewall (ModSecurity) >> Switch off security rules ?

 

[frg62]

I tried, it did not change anything.

 

[danami]

That could be a Phase:1 rule. When you use the Plesk interface to disable a mod_security rule Plesk uses "SecRuleRemoveById" within the vhosts httpd.conf to try and disable the rule. The problem is that Phase:1 modsecurity rules cannot be disabled like that (Apache scope locations and those aren't processed until Phase:2).

Take a look at this for more info:
Unable to remove rule 960012 with SecRuleRemoveById · Issue #156 · SpiderLabs/owasp-modsecurity-crs · GitHub

 

[frg62]

It does not seem to work any better... or I did not configure it correctly.

What I did:
I created in the conf directory, a file named modsecurity_crs_10_custom.conf, and I put the following line in it:
SecRule REQUEST_FILENAME "@beginswith /svn" "id:123,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340465"

Yet no-go.

I also tried:
SecRule REQUEST_FILENAME "@beginswith /svn" "id:340465,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340465"

No luck either.

Is my syntax correct?

 

[danami]

Did you restart Apache after making your changes?

 

[frg62]

Yes of course, every time.
Otherwise my modifications would not be enabled.

 

[TRILOS new media]

This issue still happens on Plesk Obsidian Version 18.0.61 Update #5.
I did not check other talk-threads and so on, but I don´t think this critical issues has been taken serious by Plesk.

 

[Kaspar@Plesk]

This is likely an issue cause by ModSecurity which needs to be solved upstream. There is an support article detailing a workaround: https://support.plesk.com/hc/en-us/...-rules-via-Switch-off-security-rules-in-Plesk