这是我刚刚在 StackOverflow 上提出的一个问题的重复,后来我才意识到这里可能是更好的提问地点。
我的新 VPS(Virtualmin)上运行着 ModSecurity 2.9.3 和 OWASP CRS 3.3.2 安全规则。
我启用了REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES,它似乎基本能正常工作。
但是,Wordpress 主题编辑器却不支持。保存时,它会收到 403 响应(“保存失败”)。
我知道这是 Modsecurity,因为当我禁用它时一切都正常。
我调查了审计日志并在以下位置创建了相应的规则REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:
SecRule REQUEST_URI "@contains /wp-json/wp/v2/template-parts/" \
"id:10000002,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=949110;ARGS=content,\
ctl:ruleRemoveTargetById=941100;ARGS=content,\
ctl:ruleRemoveTargetById=941160;ARGS=content,\
ctl:ruleRemoveTargetById=941180;ARGS=content,\
ctl:ruleRemoveTargetById=932105;ARGS=content,\
ctl:ruleRemoveTargetById=980130;ARGS=content"
SecRule REQUEST_URI "@contains /wp-json/wp/v2/templates/<hostname>/page/" \
"id:10000003,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetById=949110;ARGS=content,\
ctl:ruleRemoveTargetById=941100;ARGS=content,\
ctl:ruleRemoveTargetById=941160;ARGS=content,\
ctl:ruleRemoveTargetById=941180;ARGS=content,\
ctl:ruleRemoveTargetById=932105;ARGS=content,\
ctl:ruleRemoveTargetById=980130"
我知道规则正在被读取,因为当我弄乱请求 uri 时,我可以让 Wordpress 完全停止工作。
但是问题仍然存在。我不是 Modsecurity 专家;我知道我的排除规则写得不正确,但我无法让它们发挥作用。
以下是由 Wordpress 主题编辑器触发的审计日志中的一些误报示例:
--48163009-H--
Message: Warning. Pattern match "(?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|\\$\\(|\\$\\(\\(|`|\\${|<\\(|>\\(|\\(\\s*\\))\\s*(?:{|\\s*\\(\\s*|\\w+=(?:[^\\s]*|\\$.*|\\$.*|<.*|>.*|\\'.*\\'|\".*\")\\s+|!\\s*|\\$)*\\s*(?:'|\")*(?:[\\?\\*\\[\\]\\(\\)\\-\\|+\\w'\"\\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]* ..." at ARGS:content. [file "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "158"] [id "932105"] [msg "Remote Command Execution: Unix Command Injection"] [data "Matched Data: {\x22top found within ARGS:content: <!-- wp:template-part {\x22slug\x22:\x22header\x22,\x22theme\x22:\x22<hostname>\x22,\x22tagName\x22:\x22header\x22} /-->\x0a\x0a<!-- wp:group {\x22tagName\x22:\x22main\x22,\x22style\x22:{\x22spacing\x22:{\x22padding\x22:{\x22top\x22:\x220\x22,\x22right\x22:\x220\x22,\x22bottom\x22:\x220\x22,\x22left\x22:\x220\x22},\x22blockGap\x22:\x220\x22}}} -->\x0a<main class=\x22wp-block-group\x22 style=\x22padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\x2..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"]
Message: Warning. detected XSS using libinjection. [file "/etc/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:content: <!-- wp:template-part {\x22slug\x22:\x22header\x22,\x22theme\x22:\x22<hostname>\x22,\x22tagName\x22:\x22header\x22} /-->\x0a\x0a<!-- wp:group {\x22tagName\x22:\x22main\x22,\x22style\x22:{\x22spacing\x22:{\x22padding\x22:{\x22top\x22:\x220\x22,\x22right\x22:\x220\x22,\x22bottom\x22:\x220\x22,\x22left\x22:\x220\x22},\x22blockGap\x22:\x220\x22}}} -->\x0a<main class=\x22wp-block-group\x22 style=\x22padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\x2..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] ModSecurity: Warning. Matched phrase "<!--" at ARGS:content. [file "/etc/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "250"] [id "941180"] [msg "Node-Validator Blacklist Keywords"] [data "Matched Data: <!-- found within ARGS:content: <!-- wp:template-part {\\\\x22slug\\\\x22:\\\\x22header\\\\x22,\\\\x22theme\\\\x22:\\\\x22<hostname>\\\\x22,\\\\x22tagname\\\\x22:\\\\x22header\\\\x22} /-->\\\\x0a\\\\x0a<!-- wp:group {\\\\x22tagname\\\\x22:\\\\x22main\\\\x22,\\\\x22style\\\\x22:{\\\\x22spacing\\\\x22:{\\\\x22padding\\\\x22:{\\\\x22top\\\\x22:\\\\x220\\\\x22,\\\\x22right\\\\x22:\\\\x220\\\\x22,\\\\x22bottom\\\\x22:\\\\x220\\\\x22,\\\\x22left\\\\x22:\\\\x220\\\\x22},\\\\x22blockgap\\\\x22:\\\\x220\\\\x22}}} -->\\\\x0a<main class=\\\\x22wp-block-group\\\\x22 style=\\\\x22padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\\\\x22><!..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "sit.<hostname>.com"] [uri "/wp-json/wp/v2/templates/<hostname>/page"] [unique_id "Y7-6B6WOVEBhE0cscXvdvgAAERU"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 92.46.0.178] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "<hostname>.com"] [uri "/wp-json/wp/v2/templates/<hostname>/page"] [unique_id "Y7-6B6WOVEBhE0cscXvdvgAAERU"]
答案1
像这样的简单覆盖可以在 Apache 的配置中使用更简单的语法完成。
<IfModule security2_module>
<LocationMatch "/wp-json/wp/v2/template-parts/">
SecRuleRemoveById 949110 941100 941160 941180 932105 980130
</LocationMatch>
<LocationMatch "/wp-json/wp/v2/templates/[a-z0-9.]*/page">
SecRuleRemoveById 949110 941100 941160 941180 932105 980130
</LocationMatch>
</IfModule>