General developer forum

modsecurity issue with moodle 3.3.1

 
Picture of Leo Kuipers
modsecurity issue with moodle 3.3.1
 

When trying to access a users profile page, I received a 403 error message. In my webserver logs, the following entry explained the issue:

[Tue Sep 26 20:54:41.103408 2017] [:error] [pid 615581:tid 140178616092416] [client ***IP***] [client ***IP***] ModSecurity: Access denied with code 403 (phase 4). Match of "rx <spanclass=\\"badge\\\\-name\\">[a-z0-9\\\\.'\\\\!\\\\:\\\\-]+<\\\\/a><\\\\/li>" against "RESPONSE_BODY" required. [file "/usr/local/cwaf/rules/32_Apps_OtherApps.conf"] [line "1114"] [id "240210"] [rev "1"] [msg "COMODO WAF: Multiple XSS vulnerabilities in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4 (CVE-2014-3547)||*****domain*****|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "*****domain*****"] [uri "/user/profile.php"] [unique_id "WcqicC4T2gUACWSdrZwAAABg"], referer: *****domain*****/admin/user.php
the error says it has something to do with XSS vulerabilities in 2.x moodle versions. But I'm on 3.3.1.


If I'm not mistaken the modsecurity rule that triggers this is:

SecRule REQUEST_FILENAME "@rx (badges\/mybadges|user\/profile)\.php$" \
	"id:240210,chain,msg:'COMODO WAF: Multiple XSS vulnerabilities in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4 (CVE-2014-3547)||%{tx.domain}|%{tx.mode}|2',phase:4,deny,status:403,log,t:none,t:urlDecodeUni,t:normalizePath,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'OtherApps'"
SecRule &SESSION:moodlesession "@gt 0" \
	"chain"
SecRule RESPONSE_BODY "!@rx [a-z0-9\.'\!\:\-]+<\/a><\/li>"
=\"badge\-name\">

 

Were the vulnerabilities re-introduced? Is there anybody who can help me to get this resolved? 

I'm on a shared hosting environment, so I can't change the modsecurity conf. But I reckon that should not be done in the first place as it's a good idea to have such security plugins running.



 
Average of ratings: -
Picture of Tomasz Muras
Re: modsecurity issue with moodle 3.3.1
Group Core developersGroup Particularly helpful MoodlersGroup Plugin developersGroup Plugins guardiansGroup Translators

Hi Leo,

This looks like a false positive - mod security rule is blocking access for a valid request. The rule needs to be updated / removed.

 
Average of ratings: -