When trying to access a users profile page, I received a 403 error message. In my webserver logs, the following entry explained the issue:
[Tue Sep 26 20:54:41.103408 2017] [:error] [pid 615581:tid 140178616092416] [client ***IP***] [client ***IP***] ModSecurity: Access denied with code 403 (phase 4). Match of "rx <spanclass=\\"badge\\\\-name\\">[a-z0-9\\\\.'\\\\!\\\\:\\\\-]+<\\\\/a><\\\\/li>" against "RESPONSE_BODY" required. [file "/usr/local/cwaf/rules/32_Apps_OtherApps.conf"] [line "1114"] [id "240210"] [rev "1"] [msg "COMODO WAF: Multiple XSS vulnerabilities in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4 (CVE-2014-3547)||*****domain*****|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "*****domain*****"] [uri "/user/profile.php"] [unique_id "WcqicC4T2gUACWSdrZwAAABg"], referer: *****domain*****/admin/user.phpthe error says it has something to do with XSS vulerabilities in 2.x moodle versions. But I'm on 3.3.1.
If I'm not mistaken the modsecurity rule that triggers this is:
SecRule REQUEST_FILENAME "@rx (badges\/mybadges|user\/profile)\.php$" \
"id:240210,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4 (CVE-2014-3547)||%{tx.domain}|%{tx.mode}|2',phase:4,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:moodlesession "@gt 0" \
"chain"
SecRule RESPONSE_BODY "!@rx [a-z0-9\.'\!\:\-]+<\/a><\/li>"
Were the vulnerabilities re-introduced? Is there anybody who can help me to get this resolved?
I'm on a shared hosting environment, so I can't change the modsecurity conf. But I reckon that should not be done in the first place as it's a good idea to have such security plugins running.