Moodle, ModSecurity, error updating profile

Moodle, ModSecurity, error updating profile

od Jose Pérez -
Število odgovorov: 4

Hi,

Moodle 3.9.2+ (Build: 20200918) (2020061502.01)
Server:
Apache 2.4.46
PHP 7.2.33
MySQL 10.3.24-MariaDB
Linux

I have got some problems with updating profiles.

Logged in as administrator
I  CAN edit my profile and the profiles of the other users

https://www.**********.com/campus/user/editadvanced.php?id=2&course=1
https://www.**********.com/campus/user/editadvanced.php?id=3&course=2&returnto=profile


Logged in as a student:
I CAN'T edit / update my own profile: 

https://www.*********.com/campus/user/edit.php?id=3&course=1

Error 403. Forbidden. Access to this resource on the server is denied!

And in cpanel:
Server error log message

2020-09-25 10:55:46.801040 [INFO] [2834264] [**.**.***.***:***:HTTP2-49#APVH_*******.com:443] File not found [/home/********/public_html/403.shtml] 


If I disable ModSecurity in cpanel a student CAN update his own profile (!).

But for security reasons I want ModSecurity enabled.

I can't find much documentation. En theory, it should affect all moodle sites, no?   It is highly recommended to enable ModSecurity, no?

Is there a workaround?


Thanks in advance,
Jose

Povprečje ocenitev: -
V odgovor na Jose Pérez

Re: Moodle, ModSecurity, error updating profile

od Ken Task -
Slika Particularly helpful Moodlers

https://www.modsecurity.org/documentation.html

You could put mod_security in a deletion only mode:
SecRuleEngine DetectionOnly
restart apache

That should log complaints to an audit log

On a CentOS 7 server if yours is some other flavor of linux should be similar but might not be exactly the same.

cd /etc/httpd/conf.d
nano mod_security.conf
    # Default recommended configuration
#    SecRuleEngine On
    SecRuleEngine DetectionOnly

There is a modsec_audit.log in /var/log/httpd/
and a modsec_debug.log same location

Now you can see what mod_security is complaining about in the modsec_audit.log. 

Real example:

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client IP] ModSecurity: Warning. Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:summary_editor[text]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "301"] [id "973300"] [rev "2"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "Matched Data: <p> found within ARGS:summary_editor[text]: <p>moodle and linux command line - a 'love/hate' relationship<br></p>"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "yourserverfqdn"] [uri "/moodle39/course/edit.php"] [unique_id "X17-9aSpB9kDPaj4NPqFeAAAAAE"]


And make exceptions to rules:

https://www.modsecurity.org/CRS/Documentation/exceptions.html

'SoS', Ken


Povprečje ocenitev:Useful (1)
V odgovor na Ken Task

Re: Moodle, ModSecurity, error updating profile

od Jose Pérez -
Thank you very much for your quick answer, Ken!
The site is hosted on a shared-hosting. I think I have to contact the provider to put mod_security in a deletion only mode

On the other hand, like I said before, having ModSecurity enabled (which is recommended, no?) should affect all moodle sites, no?
Why isn't it documentated in moodle doc?
All administrators need to define exceptions to rules in ModSecurity? It is not quite clear to me.

Thanks for your help! It is really appreciated!
Povprečje ocenitev: -
V odgovor na Jose Pérez

Re: Moodle, ModSecurity, error updating profile

od Ken Task -
Slika Particularly helpful Moodlers

Shared hosting ... problem ... provider may not be able to make an exception rule just for your site.

In your case ... shared hosting ... your only alternative would be to turn it off.

Reason not in Moodle docs ... mod_security is apache config ... and one could imagine the differences in hosting, etc. .. like shared hosting ... massive confusing docs.

Moodle security itself is usually/normally good ... if you can keep your moodle up to date ... and that's the rub with shared hosting + the methods one has to use to update.

I don't host on shared hosting so you will have to work with your provider on this one if you want to run it.

'SoS', Ken


Povprečje ocenitev:Useful (2)