WAF blocks service-nologin.php

WAF blocks service-nologin.php

by Roberto Sbravati -
Number of replies: 2

The WAF blocks many calls of service-nologin.php (\lib\ajax\) and makes Moodle unusable.

The system engineer does not want to create exceptions because it would create security holes. It says that the CRS (Core Rule Sets) must be met by Moodle.

Is he right?
Why does moodle appear to be breaking these security rules?
Am I doing something wrong?

Some other informations:
The OWASP CRS version of our installation is 3.1.0, Moodle is 3.9.8 (build 20210716) RequestURI: \/lib\/ajax\/service-nologin.php

Request 942 (APPLICATION-ATTACK-SQLI)
RuleID 942200, 942260, 942340, 942370, 942430

Request 949 (BLOCKING-EVALUATION)
RuleID 949110 (Mandatory rule! Cannot be disabled)

Request 980 (CORRELATION)
RuleID 980130 (Mandatory rule! Cannot be disabled)

I don't know what other information could be used, but I think it's a problem of approach, rather than a technical one.

Thank you!

Roberto


Average of ratings: -
In reply to Roberto Sbravati

Re: WAF blocks service-nologin.php

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Your systems engineer is wrong.

WAF rules are created for ecommerce sites, where the data flowing back and forth is pure alphanumeric things like prices and product ids.

In Moodle people learn about things like Maths and computing.

At various times, I have seen WAF block completely stupid things like ../ and 1+1=2 in form posts. This is clearly inappropriate to Moodle.

(And, frankly, what are the WAF maintainers on. What possible reason was there for blocking 1+1=2?!)
Average of ratings: -
In reply to Roberto Sbravati

Ri: WAF blocks service-nologin.php

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
I did a fast search on google and the request 942 falls into the category "SQL Injection attack". Actually the latest Moodle's SQL Injection bug known is CVE-2020-25700 and your version should not be affected, so we have two cases:
a) waf discovered a new bug, so kindly ask your engineer to help the community in fixing it by investigating further
b) this is a classical false positive of firewalls based on rules.

Anyway, I vote for b...
Average of ratings: -