Error 403 when saving settings at /wp-admin/index.php?page=aioseo-setup-wizard#/category #2095

issuesreporting · 2021-05-21T10:48:31Z

path:
example.com/wp-admin/index.php?page=aioseo-setup-wizard#/category

Clicking save button causes endless animation of button without any further visual results or changes.
Log file of modsecurity reports error 403
Log file of accesslog reports error 403

---0axHjVCS---A--

[17/May/2021:23:48:52 +0200] 162128813271.917277 yyy.yyy.yyy.yyy 57906 xxx.xxx.xxx.xxx 80

---0axHjVCS---B--

POST /wp-json/aioseo/v1/wizard HTTP/1.1

Accept-Encoding: gzip, deflate

Cookie: _fbp=fb.1.1598866358706.1826547220; _ga=GA1.2.771664089.1598866361; ajs_anonymous_id=%22101e7a5c-754e-4d63-b61a-6428795a136f%22; _hjid=ef1192b3-fbb7-43f5-a616-be9a9596bbce; ajs_user_id=%22ps.-server.example.com%22; mp_c8aed77ebc880f4222724bc14a0d8a0d_mixpanel=%7Bmixerstinct_id%22%3A%20%22ps.example.com%22%2C%22%24device_id%22%3A%20%22178be0130ab701-07999816b59176-3b7f0650-1e6d71-178be0130acc07%22%2C%22mp_lib%22%3A%20%22Segment%3A%20web%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Fps.example.com%2Fadmin383sagpej%2Findex.php%3Fcontroller%3DAdminLogin%26token%3D01bdc31380f2a324e1e264a6f96e0a0a%22%2C%22%24initial_referring_domain%22%3A%20%22ps.example.com%22%2C%22%24user_id%22%3A%20%22ps.example.com%22%2C%22mp_name_tag%22%3A%20%22ps.example.com%22%2C%22language%22%3A%20%22pl%22%2C%22version_ps%22%3A%20%221.7.7.3%22%2C%22version_module%22%3A%20%221.3.3%22%2C%22module%22%3A%20%22ps_metrics%22%2C%22id%22%3A%20%22ps.example.com%22%2C%22%24first_name%22%3A%20%22http%3A%2F%2Fps.example.com%2F%22%2C%22%24name%22%3A%20%22http%3A%2F%2Fps.example.com%2F%22%7D; __gads=ID=71d0a2c6958f4bd3-2206138a1ebb007b:T=1618482997:RT=1618482997:S=ALNI_MbK6goyCUI9Bso4GoeyiXaUMboN2w; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_72a0324d9c077ad9cef625af54565376=test%7C1621460657%7CtyexE0B7mf5fOnWAB6SJCfDrg5aphEQ2KnLdCSpFL6G%7C7d909892951568e131dcaa2c3d304712688e8233ae1e0943d87ec4851faf012a; wp-settings-time-1=1621287870; wp-settings-1=libraryContent%3Dbrowse

Referer: http://example.com/wp-admin/index.php?page=aioseo-setup-wizard

Origin: http://example.com

Accept: */*

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36

Content-Type: application/json

X-WP-Nonce: cc9587282c

Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7

Content-Length: 1326

Connection: keep-alive

Host: example.com



---0axHjVCS---D--



---0axHjVCS---E--

<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a



---0axHjVCS---F--

HTTP/1.1 403

Server: nginx

Date: Mon, 17 May 2021 21:48:52 GMT

Content-Length: 548

Content-Type: text/html

Connection: keep-alive



---0axHjVCS---H--

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS_NAMES:json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2' (Value: `json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2' ) [file "/usr/local/etc/nginx/modsecurity/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "78"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: .profile found within ARGS_NAMES:json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2: json.wizard.additionalinformation.social.profiles.sameusername.included. (7 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "xxx.xxx.xxx.xxx"] [uri "/wp-json/aioseo/v1/wizard"] [unique_id "162128813271.917277"] [ref "o40,8v0,64t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercaseo40,8v0,67t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercaseo40,8v0,68t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWi (1220 characters omitted)"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `50' against variable `TX:ANOMALY_SCORE' (Value: `100' ) [file "/usr/local/etc/nginx/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 100)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "xxx.xxx.xxx.xxx] [uri "/wp-json/aioseo/v1/wizard"] [unique_id "162128813271.917277"] [ref ""]



---0axHjVCS---I--



---0axHjVCS---J--



---0axHjVCS---Z--

Environment

CRS version (e.g., v3.2.0): 3.30

Paranoia level setting: 1
ModSecurity version (e.g., 2.9.3): 3
Web Server and version (e.g., apache 2.4.41): nginx 1.18.0
Operating System and version: FreeBSD 12.2-RELEASE amd64

The text was updated successfully, but these errors were encountered:

dune73 · 2021-05-21T10:54:44Z

Thank you for reporting @issuesreporting.

I confirm your finding:

curl http://localhost/wp-admin/index.php?page=aioseo-setup-wizard -d "json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2=foo"

This call triggers rule 930120: OS File Access Attempt.

issuesreporting · 2021-05-21T11:06:25Z

Thank you for confirmation. Is there any sort of additional information I can support you with that may be helpful?

dune73 · 2021-05-21T11:13:58Z

Yes, your audit log reports an anomaly score of 100 in rule 949110, yet the log only brings a single alert on 930120 that in a normal installation accounts for an anomaly score of 5. Did you remove rule alerts that account for remaining anomaly score of 95?

issuesreporting · 2021-05-21T12:47:28Z

additionally backend log of httpd reports following

2021/05/21 14:28:29 [error] 46007#101979: *36192868 [client yyy.yyy.yyy.yyy] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `50' against variable `TX:ANOMALY_SCORE' (Value: `100' ) [file "/usr/local/etc/nginx/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 100)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "xxx.xxx.xxx.xxx"] [uri "/wp-json/aioseo/v1/wizard"] [unique_id "162160010976.027469"] [ref ""], client: yyy.yyy.yyy.yyy, server: _, request: "POST /wp-json/aioseo/v1/wizard HTTP/1.1", host: "example.com", referrer: "http://example.com/wp-admin/index.php?page=aioseo-setup-wizard"

dune73 · 2021-05-21T13:14:22Z

Thank you. But this is the expected repetition of the rule alert 949110 above. It does not say how you end up with a score of 100.

Would you mind grepping for 162160010976.027469 in the backend log? That should return every rule alert triggered by this request.

issuesreporting · 2021-05-21T15:59:37Z

I would like to make a correction, I see that I wrote about backend, but in reality it was frontend log file. The line presented in previous post.

As for other information - only that from modsecurity log is present. No more files of any sort, unless I'm missing something out.
Exactly

---mmeSv661---A--
[21/May/2021:14:28:29 +0200] 162160010976.027469 yyy.yyy.yyy.yyy 45530 xxx.xxx.xxx.xxx 80
---mmeSv661---B--
POST /wp-json/aioseo/v1/wizard HTTP/1.1
Accept-Encoding: gzip, deflate
Cookie: _fbp=fb.1.1598866358706.1826547220; _ga=GA1.2.771664089.1598866361; ajs_anonymous_id=%22101e7a5c-754e-4d63-b61a-6428795a136f%22; _hjid=ef1192b3-fbb7-43f5-a616-be9a9596bbce; ajs_user_id=%22ps.example.com%22; mp_c8aed77ebc880f4222724bc14a0d8a0d_mixpanel=%7B%22distinct_id%22%3A%20%22ps.example.com%22%2C%22%24device_id%22%3A%20%22178be0130ab701-07999816b59176-3b7f0650-1e6d71-178be0130acc07%22%2C%22mp_lib%22%3A%20%22Segment%3A%20web%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Fps.example.com%2Fadmin383sagpej%2Findex.php%3Fcontroller%3DAdminLogin%26token%3D01bdc31380f2a324e1e264a6f96e0a0a%22%2C%22%24initial_referring_domain%22%3A%20%22ps.example.com%22%2C%22%24user_id%22%3A%20%22ps.example.com%22%2C%22mp_name_tag%22%3A%20%22ps.example.com%22%2C%22language%22%3A%20%22pl%22%2C%22version_ps%22%3A%20%221.7.7.3%22%2C%22version_module%22%3A%20%221.3.3%22%2C%22module%22%3A%20%22ps_metrics%22%2C%22id%22%3A%20%22ps.example.com%22%2C%22%24first_name%22%3A%20%22http%3A%2F%2Fps.example.com%2F%22%2C%22%24name%22%3A%20%22http%3A%2F%2Fps.example.com%2F%22%7D; __gads=ID=71d0a2c6958f4bd3-2206138a1ebb007b:T=1618482997:RT=1618482997:S=ALNI_MbK6goyCUI9Bso4GoeyiXaUMboN2w; wordpress_test_cookie=WP+Cookie+check; wp-settings-time-1=1621287870; wp-settings-1=libraryContent%3Dbrowse; wordpress_logged_in_72a0324d9c077ad9cef625af54565376=test%7C1621772877%7CD5XTBc13FUjAizshH29AUNrp0oK53O23X7n22usNFIE%7C25c406d3568e0decfba0cb7eeb5635585b17a5f4646ca476a131726524d07a68
Referer: http://login-server2.example.com/wp-admin/index.php?page=aioseo-setup-wizard
Origin: http://login-server2.example.com
Accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/json
X-WP-Nonce: f4606f595e
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Content-Length: 1334
Connection: keep-alive
Host: login-server2.example.com---mmeSv661---D-----mmeSv661---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a---mmeSv661---F--
HTTP/1.1 403
Server: nginx
Date: Fri, 21 May 2021 12:28:29 GMT
Content-Length: 548
Content-Type: text/html
Connection: keep-alive---mmeSv661---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS_NAMES:json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2' (Value: `json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2' ) [file "/usr/local/etc/nginx/modsecurity/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "78"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] [data "Matched Data: .profile found within ARGS_NAMES:json.wizard.additionalInformation.social.profiles.sameUsername.included.array_2: json.wizard.additionalinformation.social.profiles.sameusername.included. (7 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "xxx.xxx.xxx.xxx"] [uri "/wp-json/aioseo/v1/wizard"] [unique_id "162160010976.027469"] [ref "o40,8v0,64t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercaseo40,8v0,67t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercaseo40,8v0,68t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWi (1220 characters omitted)"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `50' against variable `TX:ANOMALY_SCORE' (Value: `100' ) [file "/usr/local/etc/nginx/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 100)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "xxx.xxx.xxx.xxx"] [uri "/wp-json/aioseo/v1/wizard"] [unique_id "162160010976.027469"] [ref ""]---mmeSv661---I-----mmeSv661---J-----mmeSv661---Z--

dune73 · 2021-05-26T08:57:42Z

The score is very odd, but I am quite sure it has nothing to do with CRS. As for the false positive itself, we'll look into it. But it may take a few weeks.

lifeforms · 2021-06-21T19:42:49Z

I will add this to the WordPress exclusions package.

dune73 · 2021-06-23T08:43:22Z

We talked about this issue at our recent project meeting.

Decision: @lifeforms will take this on and do the fix. As an addendum, we are OK with covering WP plugins in Rule Exclusion packages.

dune73 · 2021-07-19T14:03:58Z

Ping @lifeforms ...

dune73 · 2021-11-15T11:08:58Z

@lifeforms, would you like to schedule this for the chat tonight and we reassign it to somebody else?

lifeforms · 2021-11-15T17:21:51Z

Sorry for the late comment, I created a PR in #2311.

dune73 mentioned this issue Jun 21, 2021

Monthly Chat Agenda June (2021-06-07 and 2021-06-21) #2074

Closed

lifeforms self-assigned this Jun 21, 2021

dune73 mentioned this issue Jul 19, 2021

Monthly Chat Agenda July (2021-07-05 and 2021-07-19) #2141

Closed

dune73 mentioned this issue Sep 19, 2021

Monthly Chat Agenda September 2021 (2021-09-06 and 2021-09-20) False Positive Meeting Agenda #2185

Closed

lifeforms mentioned this issue Nov 15, 2021

WordPress: add exclusion for aioseo plugin #2311

Merged

lifeforms closed this as completed Nov 15, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Error 403 when saving settings at /wp-admin/index.php?page=aioseo-setup-wizard#/category #2095

Error 403 when saving settings at /wp-admin/index.php?page=aioseo-setup-wizard#/category #2095

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Error 403 when saving settings at /wp-admin/index.php?page=aioseo-setup-wizard#/category #2095

Error 403 when saving settings at /wp-admin/index.php?page=aioseo-setup-wizard#/category #2095

Comments

Uh oh!

Environment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!