WordPress JetPack False Positive #1737
Labels
Comments
|
It is an open question if we want to do rule exclusions for commercial WP plugins. The person to decide is probably @lifeforms, but he is very busy with the new release, so we postponed a decision for a couple of weeks. |
|
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue originally created by user manuelroccon on date 2020-04-11 13:36:07.
Link to original issue: SpiderLabs/owasp-modsecurity-crs#1737.
Type of Issue
False positive
Description
Issue with Wordpress JetPack plugin
Audit Logs / Triggered Rule Numbers
--a8dd7334-A--
[11/Apr/2020:15:19:23 +0300] XpG1y2B9vAtGdcg7i3j4AAAAEE 192.0.101.214 1088 123.123.123.123 443
--a8dd7334-B--
POST /?for=jetpack&jetpack=comms&token=×tamp=&nonce=&body-hash=&signature=%3D HTTP/1.1
Host: www.domain.com
User-Agent: Jetpack by WordPress.com
Accept: /
Accept-Encoding: deflate, gzip
Referer: https://www.domain.com/?for=jetpack&jetpack=comms&token=×tamp=&nonce=&body-hash=
Authorization: X_JETPACK token="" timestamp="" nonce="" body-hash="=" signature="="
Connection: close
Content-Length: 114
Content-Type: application/x-www-form-urlencoded
--a8dd7334-C--
jetpack.testConnection --a8dd7334-F-- HTTP/1.1 403 Forbidden X-Powered-By: PHP/7.3.16 Cache-Control: no-cache Content-Encoding: gzip Vary: User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8--a8dd7334-H--
Message: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "www.domain.com"] [uri "/index.php"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"]
Action: Intercepted (phase 2)
Apache-Handler: proxy:fcgi://php-fpm
Stopwatch: 1586607563182272 11167 (- - -)
Stopwatch2: 1586607563182272 11167; combined=3345, p1=553, p2=2622, p3=0, p4=0, p5=170, sr=70, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Engine-Mode: "ENABLED"
--a8dd7334-Z--
Your Environment
Confirmation
[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: