20Haz
ModSecurity OWASP CRS 3.3.0 false positives on a WordPress site
The following search queries are blocked by ModSecurity and returns a 403 forbidden error:
www.example.com/s=zip+someword &
www.example.com/s=gzip+someword
but not
www.example.com/s=zip & www.example.com/s=gzip
The Apache error_log:
[Sun Jun 20 14:15:51.628805 2021] [:error] [pid 3764:tid 47658554889984] [client xxx.xxx.xxx.xxx:xxxx] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Pattern match "(?:^|=)\\\\s*(?:{|\\\\s*\\\\(\\\\s*|\\\\w+=(?:[^\\\\s]*|\\\\$.*|\\\\$.*|<.*|>.*|\\\\'.*\\\\'|\\".*\\")\\\\s+|!\\\\s*|\\\\$)*\\\\s*(?:'|\\")*(?:[\\\\?\\\\*\\\\[\\\\]\\\\(\\\\)\\\\-\\\\|+\\\\w'\\"\\\\./\\\\\\\\]+/)?[\\\\\\\\'\\"]*(?:l[\\\\\\\\'\\"]*(?:s(?:[\\\\\\\\'\\"]*(?:b[\\\\\\\\'\\"]*_[\\\\\\\\'\\"]*r[\\\\\\\\'\\"]*e[\\\\\\\\'\\"]*l[\\\\\\\\' ..." at ARGS:s. [file "/etc/xxx/modsec_vendor_configs/OWASP3/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "463"] [id "xxxxxx"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: zip found within ARGS:s: zip someword"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "example.com"] [uri "/"] [unique_id "xxxxxxx-xxxxxxxxxxxxxxxxxxx"]
How do make an exception to this ruleset REQUEST-932-APPLICATION-ATTACK-RCE.conf to allow the above queries? I'm not RegEx savvy, and I don't know how to read it.
