Owasp-modsecurity-crs: False positive on any page containing "<b>WARNING</b>:"

Created on 7 Sep 2018  路  9Comments  路  Source: SpiderLabs/owasp-modsecurity-crs

Type of Issue

Incorrect blocking (false positive)

Description

Mod Security with OWASP's rule set is blocking any page containing <b>WARNING</b>: (case insensitive, colon required). It cites the "RESPONSE-953-DATA-LEAKAGES.conf" file but I can find no reference to it in there.

[07/Sep/2018:11:07:26 +0100] 153631484620.247675 <REMOVED> 65000 <REMOVED> 443
---jDNIYUfC---B--
GET /modsectest/page1c.php HTTP/1.1
Host: <REMOVED>.co.uk
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,en-GB;q=0.8

---jDNIYUfC---D--

---jDNIYUfC---E--
<b>WARNING</b>:\x0d\x0a

---jDNIYUfC---F--
HTTP/1.1 200
Server: nginx/1.15.3
Date: Fri, 07 Sep 2018 10:07:26 GMT
Content-Length: 17
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

---jDNIYUfC---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `php-errors.data' against variable `RESPONSE_BODY' (Value: `<b>WARNING</b>:\x0d\x0a' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "17"] [id "953100"] [rev "3"] [msg "PHP Information Leakage"] [data "Matched Data: <b>Warning</b>: found within RESPONSE_BODY: <b>WARNING</b>:\x0d\x0a"] [severity "3"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-disclosure"] [tag "OWASP_CRS/LEAKAGE/ERRORS_PHP"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "192.168.1.254"] [uri "/modsectest/page1c.php"] [unique_id "153631484620.247675"] [ref "o0,15v443,17"]
ModSecurity: Access denied with code 200 (phase 4). Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "165"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 4)"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "192.168.1.254"] [uri "/modsectest/page1c.php"] [unique_id "153631484620.247675"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf"] [line "67"] [id "980140"] [rev ""] [msg "Outbound Anomaly Score Exceeded (score 4): PHP Information Leakage"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "192.168.1.254"] [uri "/modsectest/page1c.php"] [unique_id "153631484620.247675"] [ref ""]

---jDNIYUfC---I--

---jDNIYUfC---J--

---jDNIYUfC---Z--

Your Environment


  • CRS version: 3.0.2
  • ModSecurity version: 3.0.0 (NginX)
  • Web Server and version: NginX 1.15.3
  • Operating System and version: Ubuntu 16.04 LTS

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

PR available

Most helpful comment

@theMiddleBlue I like that idea! I think the on line N piece is always part of the warning (it can also be on line 0), but the middle part might not always contain .php so I'd suggest something like <b>Warning</b>:.+on\sline\s<b>[0-9]+</b>

All 9 comments

If I have to guess this is a pretty general anti SQL iinfo leak rule that we'll have to make less general

It could be a good idea to remove <b>Warning</b>: from php-errors.data and replace it with a more strict SecRule? Something like <b>Warning</b>:.+in<b>.+\.php</b>.+on\sline\s<b>[0-9]+</b> ?

@theMiddleBlue I like that idea! I think the on line N piece is always part of the warning (it can also be on line 0), but the middle part might not always contain .php so I'd suggest something like <b>Warning</b>:.+on\sline\s<b>[0-9]+</b>

yep! seems legit. Should we handle others type of errors different than Warning? something like notice, fatal, etc... ? I'm looking for a complete documentation about it, maybe this http://php.net/manual/en/errorfunc.constants.php ?

I think @pmf will use that as literal string not as regex so we will need to remove <b>Warning</b>: from the data file and add a rule with the rx you suggest to make this work and get rid of the false positive.

Yes, unfortunately so.

a little test:

<?php
        error_reporting(E_ALL);
        ini_set('display_errors', 1);

        $a = ($b-1); // notice
        preg_match(false); // warning
        nonexistent(); // error

this display the following errors:

<b>Notice</b>:  Undefined variable: b in <b>/phperrors/index.php</b> on line <b>5</b><br />
<br />
<b>Warning</b>:  preg_match() expects at least 2 parameters, 1 given in <b>/phperrors/index.php</b> on line <b>6</b><br />
<br />
<b>Fatal error</b>:  Uncaught Error: Call to undefined function nonexistent() in /phperrors/index.php:7

it seems that on line is not present on "Fatal error". What do you think about something like this?

<b>(?:Notice|Warning|Fatal\serror)</b>:\s.+(?:in\s<b>.+on\sline\s<b>[0-9]+</b>|\sin\s.+:[0-9]+)

uhm... removing <b>Warning</b>: from php-errors.data it seems that all example errors I wrote are already intercepted by 953100...

can anyone suggest others examples? maybe we don't need a new SecRule :)

fixed with #1343

Was this page helpful?
0 / 5 - 0 ratings

Related issues

nicksloan picture nicksloan  路  6Comments

dune73 picture dune73  路  6Comments

dune73 picture dune73  路  6Comments

meigea picture meigea  路  4Comments

JeffCleverley picture JeffCleverley  路  7Comments