NextCloud False Positive #1736

CRS-migration-bot · 2020-05-13T15:04:32Z

Issue originally created by user manuelroccon on date 2020-04-11 13:30:48.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#1736.

Type of Issue

False positive

Description

I've just configured rules. Last version of Nextcloud give me this errors.

Audit Logs / Triggered Rule Numbers

--4693d56e-A--
[11/Apr/2020:16:00:06 +0300] XpG-VqTsDq4eM7zXEJkhRwAAAEs 123.123.123.123 53284 123.123.123.123 443
--4693d56e-B--
PROPFIND /remote.php/dav/files/user/ HTTP/1.1
Host: nextcloud.domanin.it
Depth: 0
Authorization: Basic=
User-Agent: Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)
Accept: /
Content-Type: text/xml; charset=utf-8
X-Request-ID: be437f90-c473-40a7-8b98-a519a3473402
Cookie: oc_sessionPassphrase=; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc20oosppk3h=
Content-Length: 114
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*

--4693d56e-C--

<d:propfind xmlns:d="DAV:">
<d:prop>
<d:getlastmodified />
</d:prop>
</d:propfind>

--4693d56e-F--
HTTP/1.1 207 Multi-Status
X-Powered-By: PHP/7.3.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';
Vary: Brief,Prefer
DAV: 1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nc-calendar-search, nc-enable-birthday-calendar
Strict-Transport-Security: max-age=15552000; includeSubDomains
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml; charset=utf-8

--4693d56e-E--

--4693d56e-H--
Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
Message: Rule 55f46f63e438 [id "932100"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "124"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46f6510e8 [id "932105"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "162"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46f657438 [id "932110"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "261"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46f663088 [id "932115"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "302"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46f6f7288 [id "932150"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "479"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46ee2e918 [id "942360"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "486"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f63e438 [id "932100"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "124"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f6510e8 [id "932105"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "162"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f657438 [id "932110"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "261"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f663088 [id "932115"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "302"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f6f7288 [id "932150"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "479"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46ee2e918 [id "942360"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "486"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Handler: proxy:fcgi://php-fpm
Stopwatch: 1586610006171660 54186 (- - -)
Stopwatch2: 1586610006171660 54186; combined=3589, p1=579, p2=2581, p3=73, p4=179, p5=177, sr=76, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Engine-Mode: "DETECTION_ONLY"

--4693d56e-Z--

Your Environment

CRS version v.3.3dev:
ModSecurity version 2.9.2:
Web Server and version apache 2.4.6:
Operating System and version: CentOs 7.7.1908

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

CRS-migration-bot · 2020-05-13T15:04:34Z

User fzipi commented on date 2020-05-04 21:51:13:

Hi manuelroccon. Did you enable NextCloud exclusion rules in rule id:900130 in crs-setup.conf?

CRS-migration-bot · 2020-05-13T15:04:35Z

User fzipi commented on date 2020-05-10 11:31:06:

manuelroccon Any comments so we can figure this out?

CRS-migration-bot · 2020-05-13T15:04:37Z

User manuelroccon commented on date 2020-05-10 11:55:43:

I use secremovebyid in apache vhost configuration. This is right method to fix this issue?

CRS-migration-bot · 2020-05-13T15:04:38Z

User fzipi commented on date 2020-05-10 12:29:58:

Depends.

You need to first enable the exclusion rules for NextCloud. Can you please check the file crs-setup.conf, and search for 900130?

Then you need to have something like this:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_nextcloud=1"

That will effectively enable the exclusions we have for NextCloud. Without that, the rules to prevent this are not enabled!

CRS-migration-bot · 2020-05-13T15:04:40Z

User fzipi commented on date 2020-05-10 16:19:14:

manuelroccon Can you check this please? ☝️

CRS-migration-bot · 2020-05-13T15:04:41Z

User manuelroccon commented on date 2020-05-10 16:58:41:

ok, this exclusion rules not enabled in crs-setup.conf.
But if i've more vhosts in my server with different CMS, can I put this exclusion directive only in vhost configuration that running Nextcloud?

CRS-migration-bot · 2020-05-13T15:04:42Z

User fzipi commented on date 2020-05-10 17:13:50:

manuelroccon You can also do this:

# It is recommended if you run multiple web applications on your site to limit
# the effects of the exclusion to only the path where the excluded webapp
# resides using a rule similar to the following example:
# SecRule REQUEST_URI "**beginsWith** /wordpress/" setvar:tx.crs_exclusions_wordpress=1

Give a quick look at the whole crs-setup.conf file to get a taste what you can do.

CRS-migration-bot · 2020-05-13T15:04:43Z

User manuelroccon commented on date 2020-05-10 18:33:32:

fzipi thank for your support,

The crs-setup.conf are default, i've not modify it of master brench.

I've read this recommendation about REQUEST_URI "beginsWith /wordpress/" in crs-setup.conf, but REQUEST_URI of vhosts not start with specific pattern.
All vhosts are separate domain. If i make this exclusion in crs-setup.conf is applied to all sites inside server.

So I think i must put this directive (SecAction "id:900130,) directly inside the apache vhost config, to apply this only specific vhost (in this case in nextcloud).

Is fine this tipe of configuration for you or there are other solutions?

CRS-migration-bot · 2020-05-13T15:04:45Z

User fzipi commented on date 2020-05-11 11:35:13:

Hi manuelroccon,

Hmmm.. 🤔 you will definitely need to apply this to a particular url/vhost. One technique I normally use in these cases is to use the SecWebAppId directive.

For example (you may need to modify it a bit, it is just a rough idea),

<VirtualHost Z.Z.Z.Z:44>
    SecWebAppId  my-nextcloud
...
...
</VirtualHost>

# And then:
SecRule WEBAPPID "@eq my-nextcloud" "setvar:tx.crs_exclusions_wordpress=1"

Please check the documentation for more examples.

franbuehler · 2020-06-01T20:45:35Z

This issue seems to be a rule exclusion misconfiguration and seems to be solved.

CRS-migration-bot added the ➕ False Positive label May 13, 2020

CRS-migration-bot mentioned this issue May 13, 2020

Monthly Chat Agenda May (2020-05-04) #1749

Closed

franbuehler mentioned this issue Jun 1, 2020

Monthly Chat Agenda June (2020-06-01) #1779

Closed

franbuehler closed this as completed Jun 1, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

NextCloud False Positive #1736

NextCloud False Positive #1736

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

NextCloud False Positive #1736

NextCloud False Positive #1736

Comments

Type of Issue

Description

Audit Logs / Triggered Rule Numbers

Your Environment

Confirmation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!