phpBB 3.3.0 cannot access to ACP (Admin panel) #1903

diegaless · 2020-10-09T22:28:43Z

Description
I cannot acces to ACP, I followed the instructions in the following link (phpBB 3.2.7 admin panel #1873) and added the exclusion rules, but it didn't work for me.

Audit Logs / Triggered Rule Numbers
POST /adm/index.php?sid=XXX

Triggered rules:

[file "/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "47"] [id "930100"]
[file "REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930110"]
[file "/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"]
[file "RESPONSE-980-CORRELATION.conf"] [line "87"] [id "980130"]

There were rules that were repeated and eliminated by synthesizing.

Your Environment

Paranoia level setting: default (1)
ModSecurity version: 2.9.2
Web Server and version: Apache 2.4.29
Operating System and version: VPS Ubuntu 18.04

Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

dune73 · 2020-10-10T05:45:09Z

Sorry for the inconvenience @diegaless and thank you for reporting.

Could you share the full alert messages please? The information we have is not enough to reproduce the problem.

@azurit : Do you want to take a look afterwards?

azurit · 2020-10-10T06:53:53Z

@dune73 Of course! Feel free to assign everything related to phpBB to me, thank you.

@diegaless Just to be sure: Have you added this file https://raw.githubusercontent.com/azurit/coreruleset/v3.4/dev/rules/REQUEST-903.9007-PHPBB-EXCLUSION-RULES.conf AND activated phpBB exclusions in crs-setup.conf, section 'Application Specific Rule Exclusions'?

diegaless · 2020-10-10T15:42:41Z

Thanks for the help @azurit :)!

I didn't know about these exclusion rules since they are not available in /modsecurity-crs/rules/xx

I confirm that adding the following rule in the configuration of my VirtualHost, the problem is solved:

# Redirect after admin login
SecRule REQUEST_FILENAME "@endsWith /adm/index.php" \
    "id: 9007130, \
    phase: 2, \
    pass, \
    t: none, \
    nolog, \
    see: 'OWASP_CRS / 3.4.0', \
    chain "
    SecRule & ARGS: mode "@eq 0" \
        "t: none, \
        chain "
        SecRule & ARGS: username "@eq 1" \
            "t: none, \
            ctl: ruleRemoveTargetById = 930100; ARGS: redirect, \
ctl: ruleRemoveTargetById = 930110; ARGS: redirect "

However I haven´t been able to add the exclusion file that you provided with all the rules, I indicate the steps that I followed in case you could help me:

-Added in /etc/modsecurity/crs/crs-setup.conf ( section 'Application Specific Rule Exclusions')

SecAction \
 "id: 900130, \
  phase: 1, \
  nolog, \
  pass, \
  t: none, \
  setvar: tx.crs_exclusions_phpbb = 1 "

-Saved in /modsecurity-crs/rules/ the following file

REQUEST-903.9007-PHPBB-EXCLUSION-RULES.conf

-Config in virtualHost:

<IfModule security2_module>
       SecRuleEngine on
       Include "/usr/share/modsecurity-crs/*.conf"
       Include "/usr/share/modsecurity-crs/rules/*.conf"
</IfModule>

azurit · 2020-10-10T16:08:00Z

This is new exclusion rules package for phpBB, see PL #1893.

Looks you did it ok. Try it without all the excessive spaces:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_phpbb=1"

diegaless · 2020-10-11T01:36:43Z

Yes, I have it like this, it was due to ctrl + c ctrl + v. But not working actually, as if it were not loaded the exclusion rules, since these jump in modsecurity_log. @dune73 In case you could shed some light.

By the time they are up and running, with what level of paranoia do you recommend these rules? @azurit

azurit · 2020-10-11T08:19:41Z

It was tested with PL1.

Can you send output of this?
ls -la /usr/share/modsecurity-crs/rules/REQUEST-903.9007-PHPBB-EXCLUSION-RULES.conf

diegaless · 2020-10-11T16:54:39Z

This is the output:

-rw-r--r-- 1 root root 8247 Oct 10 01:30 /usr/share/modsecurity-crs/rules/REQUEST-903.9007-PHPBB-EXCLUSION-RULES.conf

azurit · 2020-10-11T17:05:36Z

What will happen if you remove first two rules (9007000 and 9007001) from REQUEST-903.9007-PHPBB-EXCLUSION-RULES.conf?

Just to be sure - did you remove that one rule (ID 9007130) from virtualhost? You mentioned it here:
#1903 (comment)

diegaless · 2020-10-12T00:45:01Z

What will happen if you remove first two rules (9007000 and 9007001) from REQUEST-903.9007-PHPBB-EXCLUSION-RULES.conf?

It's works, i can access to ACP. From what I understand that the crs_exclusions_phpbb parameter is not detected correctly?

Just to be sure - did you remove that one rule (ID 9007130) from virtualhost? You mentioned it here:
#1903 (comment)

yes, it was eliminated

I just saw what you mentioned #1893 , for what you need here I am.
From what I saw I understand that the exclusion rules are still constantly changing, if it is not too much trouble, let me know when the final version is approved :)

azurit · 2020-10-12T06:46:21Z

It's works, i can access to ACP. From what I understand that the crs_exclusions_phpbb parameter is not detected correctly?

Seems so. Are you sure your crs-setup.conf is loaded? Should be in /usr/share/modsecurity-crs/owasp-crs.load and owasp-crs.load in /etc/apache2/mods-enabled/security2.conf.

I just saw what you mentioned #1893 , for what you need here I am.

Thanks!

From what I saw I understand that the exclusion rules are still constantly changing

Yes, it's still work in progress.

if it is not too much trouble, let me know when the final version is approved :)

No problem!

diegaless · 2020-10-12T14:11:32Z

Yes that's the bug, security2.conf correctly points to

/usr/share/modsecurity-crs/owasp-crs.load

, but owaspcrs.load is not found in

/ usr / share / modsecurity-crs /

Only shows:

drwxr-xr-x 8 root root 4096 Oct 6 00:24 .
drwxr-xr-x 140 root root 4096 Oct 5 23:47 ..
drwxr-xr-x 8 root root 4096 Oct 5 23:47 .git
drwxr-xr-x 4 root root 4096 Oct 5 23:47 .github
-rw-r--r-- 1 root root 383 Oct 5 23:47 .gitignore
-rw-r--r-- 1 root root 159 Oct 5 23:47 .gitmodules
-rw-r--r-- 1 root root 287 Oct 5 23:47 .linelint.yml
-rw-r--r-- 1 root root 708 Oct 5 23:47 .travis.yml
-rw-r--r-- 1 root root 555 Oct 5 23:47 .yamllint.yml
-rw-r--r-- 1 root root 74701 Oct 5 23:47 CHANGES
-rw-r--r-- 1 root root 7854 Oct 5 23:47 CONTRIBUTING.md
-rw-r--r-- 1 root root 3333 Oct 5 23:47 CONTRIBUTORS.md
-rw-r--r-- 1 root root 16834 Oct 5 23:47 INSTALL
-rw-r--r-- 1 root root 2834 Oct 5 23:47 KNOWN_BUGS
-rw-r--r-- 1 root root 11366 Oct 5 23:47 LICENSE
-rw-r--r-- 1 root root 2461 Oct 5 23:47 README.md
-rw-r--r-- 1 root root 2164 Oct 5 23:47 SECURITY.md
-rw-r--r-- 1 root root 33116 Oct 5 23:48 crs-setup.conf
-rw-r--r-- 1 root root 33116 Oct 5 23:47 crs-setup.conf.example
drwxr-xr-x 3 root root 4096 Oct 5 23:47 docs
drwxr-xr-x 2 root root 4096 Oct 12 00:39 rules
drwxr-xr-x 4 root root 4096 Oct 5 23:47 tests
drwxr-xr-x 10 root root 4096 Oct 5 23:47 util

. I thought that when installing modsecurity that file generated itself.

Is my configuration broken? Any way to autogenerate it? I was looking but I did not get anything clear

azurit · 2020-10-12T14:15:48Z

This is how security2.conf should look:

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf

        # Include OWASP ModSecurity CRS rules if installed
        IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load
</IfModule>

And owasp-crs.load:

##
## This file loads OWASP CRS's rules when the package is installed
## It is Included by libapache2-mod-security2
##
Include /etc/modsecurity/crs/crs-setup.conf
IncludeOptional /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/share/modsecurity-crs/rules/*.conf
IncludeOptional /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

diegaless · 2020-10-12T14:24:31Z

Identify security2.conf for me.

And the configuration is loaded from virtualhost:

<IfModule security2_module>
       SecRuleEngine on
       Include "/usr/share/modsecurity-crs/*.conf"
       Include "/usr/share/modsecurity-crs/rules/*.conf"
</IfModule>

But owasp-crs.load is not generated. So what do you suggest that I manually create the file?

Thanks for the help

azurit · 2020-10-12T14:26:18Z

It won't be generated automataically, if you are missing it, you need to create it.

azurit · 2020-10-12T14:27:51Z

And if you are loading security2.conf ( ls -la /etc/apache2/mods-enabled/security2.conf ), you don't need that things in virtualhost, remove them. Instead, create and load owasp-crs.load and configure everything inside /etc/modsecurity/crs/crs-setup.conf .

diegaless · 2020-10-12T15:14:19Z

Ok I have followed your steps, also uncomment the first two directives in /usr/share/modsecurity-crs/rules/REQUEST-903.9007-PHPBB-EXCLUSION-RULES.conf and now it works correctly.

Noob question, if I remove said virtualhost directives and I am running multiple virtualHost, with different cms (phpbb, wordpress etc) how do I make the active exclusion rules of phpBB only execute on a specific virtualHost and not affect the others. I feel like I'm missing something important here

azurit · 2020-10-12T16:10:24Z

Noob question, if I remove said virtualhost directives and I am running multiple virtualHost, with different cms (phpbb, wordpress etc) how do I make the active exclusion rules of phpBB only execute on a specific virtualHost and not affect the others. I feel like I'm missing something important here

I don't think this is possible but all exlusive rules should only apply to application for which they were written (as every application works different).

@dune73 does CRS support enabling exclusive rules packages per virtualhost?

diegaless · 2020-10-12T17:33:52Z

Now I activate the owasp rules via /etc/modsecurity/modsecurity.conf

SecRuleEngine on

Before SecRuleEngine being activated from virtualhost and being able to indicate which rules it loaded, I understand that it was possible to handle which sites applied which rules and which ones to load, although perhaps this is not a problem as you explain

azurit · 2020-10-12T19:23:27Z

Can we close this issue?

diegaless · 2020-10-13T01:17:13Z

yes

diegaless added the ➕ False Positive label Oct 9, 2020

dune73 assigned azurit Oct 10, 2020

azurit closed this as completed Oct 13, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

phpBB 3.3.0 cannot access to ACP (Admin panel) #1903

phpBB 3.3.0 cannot access to ACP (Admin panel) #1903

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

phpBB 3.3.0 cannot access to ACP (Admin panel) #1903

phpBB 3.3.0 cannot access to ACP (Admin panel) #1903

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!