Unable to load photos in NextCloud - receiving error 403 for PROPFIND #1891

mackov83 · 2020-09-30T13:59:30Z

Hi,

First of all apologies if I sound like a noob, in fact I am! While I have been in IT infrastructure for many years, I am quite new to coding and web administration - trying to learn something new :)

I do however have a background in networking and firewalling so many of the terms etc are familiar. I would also consider myself an above average troubleshooter, even in areas I am new to.

Error Log / Triggered Rule Numbers

22:45:06 [error] 195997#195997: *11897 [client 10.83.2.23] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 5' ) [file "/usr
/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"]
[accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.83.10.40"] [uri "/remote.php/dav/files/my_name/Photos/Birdie.jpg"] [unique_id "1601469906"] [ref ""],
client: 10.83.2.23, server: cloud.com, request: "PROPFIND /remote.php/dav/files/my_name/Photos/Birdie.jpg HTTP/2.0", host: "cloud.com"

Audit Log

ModSecurity: Warning. Matched "Operator StrEq' with parameter PROPFIND' against variable REQUEST_METHOD' (Value: PROPFIND' ) [file "/etc/nginx/modsec/modsecurity.conf"] [line "127"] [id "12000000"] [rev ""] [msg ""] [data
""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.83.10.40"] [uri "/remote.php/dav/files/my_name/Photos/Vineyard.jpg"] [unique_id "1601473020"] [ref "o0,21v9,48t:lowercasev0,8"]
ModSecurity: Warning. Matched "Operator Rx' with parameter (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:/|\w)[^\s]*(?:\s+http/\d|[\r\n])' against variab
le REQUEST_BODY' (Value: \x0a\x09\x09\x09<d:propfind xmlns:d="DAV:"\x0a\x09\x09\x09\x09xmlns:oc="http:/ (904 characters omitted)' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-921-PROTOCOL-ATTACK
.conf"] [line "33"] [id "921110"] [rev ""] [msg "HTTP Request Smuggling Attack"] [data "Matched Data: propfind xmlns:d="dav:"\x0a found within REQUEST_BODY: \x0a\x09\x09\x09<d:propfind xmlns:d="dav:"\x0
a\x09\x09\x09\x09xmlns:oc="http://owncloud.org/ns"\x0a\x09\x09\x09\x09xmlns:nc="http://nextcloud.org/ns"\x0a\x09\x09\x09 (508 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "ap
plication-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/33"] [hostname "10.83.10.40"] [uri "/remote.php/dav/files/my_name/
Photos/Vineyard.jpg"] [unique_id "1601473020"] [ref "o28,25v888,641t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 5' ) [file "/usr/local/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "
platform-multi"] [tag "attack-generic"] [hostname "10.83.10.40"] [uri "/remote.php/dav/files/my_name/Photos/Vineyard.jpg"] [unique_id "1601473020"] [ref ""]

Your Environment

This is a brand new deployment. NextCloud is a vanilla install using the https://www.hanssonit.se/nextcloud-vm. I believe this is running Apache 2.4.41
The WAF is Ubuntu 20.04 with nginx 1.18.0 - obviously this sits in front of the NextCloud server (whose config is untouched)

CRS version: 3.3.0
Paranoia level setting: 1
ModSecurity version: 3.0.4
Web Server and version: nginx 1.18.0
Operating System and version: Ubuntu 20.04

Troubleshooting

If I disable modsec the problem goes away instantly. This was my initial test until I found the nginx error.log and modsecurity audit.log.
To date I have enabled the NextCloud exclusion rule as part of crs-setup.conf
I also limited the number of SSL ciphers available (in particular weak) from the WAF (using Qualys SSL scans), though returning to defaults did not make a change
I made the following change in modsecurity.conf as mentioned in a separate post for similar problem (though different error)
SecRule REQUEST_URI "@beginswith /remote.php/dav/files"
"id:'12000000',phase:1,t:none,t:lowercase,pass,log,ctl:requestBodyProcessor=XML,chain"
SecRule REQUEST_METHOD "@Streq PROPFIND"

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

The text was updated successfully, but these errors were encountered:

mackov83 · 2020-10-09T14:33:27Z

Just to add to this, it is a preview and action function that won't load. For example by selecting the photo it it supposed to load the photo, but also an actions sidebar. I should also be able to select a file and click 'share' but because the sidebar does not display, the ability to share among other settings is impossible.

If needed I can share photos of working vs broken examples if required.

fzipi · 2020-10-13T13:32:47Z

Hi @mackov83 .
I found that this is similar to what happens here: #1838 (comment).
Will try to contact nextcloud devels to see if they can fix this.

mackov83 · 2020-10-13T14:13:00Z

Hi @fzipi, that is the article I was following where I spotted your suggested fix in the modsecurity.conf file. Thanks for following up. Let me know if there is any way I can assist.

azurit · 2020-11-03T09:47:32Z

@mackov83 If you want to try development version of exclusion rules package for Nextcloud, here are step-by-step directions:

1.) Download this file and put it into /usr/share/modsecurity-crs/rules (replace the old one):
wget https://raw.githubusercontent.com/kam821/coreruleset/patch-v3.4/nextcloud/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf -O /usr/share/modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf

2.) Edit /etc/modsecurity/crs/crs-setup.conf and add this line into rule number 900130 (uncomment it if it's commented out) after the line t:none,\:
setvar:tx.crs_exclusions_nextcloud=1,\

so it will look similar to this:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_nextcloud=1
8000
,\
  setvar:tx.crs_exclusions_drupal=0,\
  setvar:tx.crs_exclusions_wordpress=0"

mackov83 · 2020-11-08T14:20:48Z

@azurit Thanks very much for the info. I have implemented this as per your suggestion and it indeed solved my issue. Should I mark this case as closed?

azurit · 2020-11-08T18:06:22Z

@mackov83 Yes, thank you! Will be resolved with next release.

mackov83 added the ➕ False Positive label Sep 30, 2020

fzipi self-assigned this Oct 5, 2020

dune73 mentioned this issue Oct 19, 2020

Monthly Chat Agendas October (2020-10-05 and 2020-10-19) #1892

Closed

mackov83 closed this as completed Nov 9, 2020

This was referenced Nov 13, 2020

Modsecurity with Passwordstate #1923

Closed

IIS Information Leakage #1926

Closed

mackov83 mentioned this issue Nov 21, 2020

"gzip_types" directive Rule id: 200000 is duplicated #1935

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Unable to load photos in NextCloud - receiving error 403 for PROPFIND #1891

Unable to load photos in NextCloud - receiving error 403 for PROPFIND #1891

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Unable to load photos in NextCloud - receiving error 403 for PROPFIND #1891

Unable to load photos in NextCloud - receiving error 403 for PROPFIND #1891

Comments

Uh oh!

Error Log / Triggered Rule Numbers

Audit Log

Your Environment

Troubleshooting

Confirmation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!