10000 Possible False Positives with Nextcloud app Markdown Editor rule 949110 · Issue #2367 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Possible False Positives with Nextcloud app Markdown Editor rule 949110 #2367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MrCybertux opened this issue Feb 1, 2022 · 2 comments
Closed

Possible False Positives with Nextcloud app Markdown Editor rule 949110 #2367

MrCybertux opened this issue Feb 1, 2022 · 2 comments
Assignees
@theseion

Comments

@MrCybertux
Copy link
MrCybertux commented Feb 1, 2022
edited by azurit
Loading

Description

While working with the Nextcloud app Markdown Editor the connection to the document gets lost when it autosaves.
It only triggers when using one of the pre formatted Templates, i haven figuered out wich exact feature breaks it.
If i use a blank page i can work just fine.
The rule trigert has the id 941310

Log output

[info] 164#164: *3297 ModSecurity: Warning. Matched "Operator `Rx' with parameter `\xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe' against variable `ARGS:json.autosaveContent' (Value: `\# company\x0a\x0a\## Logistik\x0a\x0a\### <Daten>\x0a\x0a\## Technik\x0a\x0a\### Netzwerk Gr\xc3\x (324 characters omitted)' ) [file "/opt/bunkerized-nginx/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "527"] [id "941310"] [rev ""] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \xbcnwald\x0a\x0a#### <daten> found within ARGS:json.autosaveContent: # company\x0a\x0a## logistik\x0a\x0a### <daten>\x0a\x0a## technik\x0a\x0a### netzwerk gr\xc3\xbcnwald\x0a\x0a#### <daten>\x0a\x0a### netzwerk noris\x0a\x0a#### <daten>\x0a\x0a### (153 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "XXX.XXX.XXX.XXX"] [uri "/apps/text/session/sync"] [unique_id "164372592823.168891"] [ref "o66,20v21,298t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode"], client: XXX.XXX.XXX.XXX, server: nextcloud.example.io, request: "POST /apps/text/session/sync HTTP/2.0", host: "nextcloud.example.io"
@azurit
Copy link
Member
azurit commented Feb 2, 2022

Hello!

Thanks for submitting and sorry for your inconvenience. We will take a look into this soon.

@dune73 dune73 changed the title Posible False Positives with Nextcloud app Markdown Editor rule 949110 Possible False Positives with Nextcloud app Markdown Editor rule 949110 Feb 7, 2022
@dune73 dune73 mentioned this issue Feb 21, 2022
Closed
@theseion theseion self-assigned this Feb 21, 2022
@theseion
Copy link
Contributor

Hi @MrCybertux

Thank you very much for your report. Your issue has already been addressed in the development branch. The update to the rule will be included in the next release (which will probably be towards summer).

If you have control over your CRS deployment you could update the rule manually with the change from the (v3.4/dev branch)[https://github.com/coreruleset/coreruleset/blob/f8be3a0e3df242f87be0cd9af7fbce66a72fca8e/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf#L537].

@dune73 dune73 mentioned this issue Mar 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@theseion theseion

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@theseion @azurit @MrCybertux
0