ModSecurity: Warning

ModSecurity: Warning

by Ralph Ballier -
Number of replies: 6
Picture of Particularly helpful Moodlers

Hello,

I am using Moodle 3.11.11 under Ubuntu 22.04.2 LTS.

In the errorlogfile I keep finding the following message. What is its meaning?

Greetings

Ralph

[Tue Mar 07 16:27:56.347988 2023] [:error] [pid 3759211:tid 140488355071552] [client 91.52.2.43:0] [client 91.52.2.43] ModSecurity: Warning. Match required on "rx <spanclass=\\\\x22badge\\\\-name\\\\x22>[a-z0-9\\\\.'\\\\!\\\\:\\\\-]+<\\\\/a><\\\\/li>" against "RESPONSE_BODY". [file "/etc/apache2/modsecurity.d/rules/comodo_free/30_Apps_OtherApps.conf"] [line "468"] [id "240210"] [rev "2"] [msg "COMODO WAF: Multiple XSS vulnerabilities in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4 (CVE-2014-3547)||moodle.example.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "OtherApps"] [hostname "moodle.example.com"] [uri "/user/profile.php"] [unique_id "ZAdX_Ar5k5k7mthuaNKpPgAAAA4"], referer: https://moodle.example.com/admin/user.php


Translated with www.DeepL.com/Translator (free version)

Average of ratings: -
In reply to Ralph Ballier

Re: ModSecurity: Warning

by Ken Task -
Picture of Particularly helpful Moodlers

Your ModSecurity has CVE turned on ...

COMODO WAF: Multiple XSS vulnerabilities in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4

reported vulnerablities in versions seen.

Your site, however, is a 3.11.11 and thus not vulnerable to the exploit attempted by the IP address shown - 91.52.2.43

If you do a whois on that IP you'll get among the info:

route:          91.0.0.0/10
descr:          Deutsche Telekom AG, Internet service provider

Seems be an individual machine on that ISP's customer network.

That's good ... just one machine and just one poke ... unless there were multiple references in your logs.

Depending upon operating system, one can actually block that IP address via your firewall.   Before you do that, however, good idea to find out if that IP address was used by one of your participants.

A mysql query of mdl_users table for last IP shows the IP addresses.

IF not one of your users ... and if pesky ... block the IP address at the network level.

On a CentOS 7 server:

firewall-cmd --zone=drop --add-source=IPADDRESS

Once in the drop zone, that IP address will never see your server at all!

The drop zone command above doesn't block that IP on a permanent basis.  Next reboot of server all of those blocks are cleared.

'SoS', Ken


Average of ratings: -
In reply to Ken Task

Re: ModSecurity: Warning

by Ralph Ballier -
Picture of Particularly helpful Moodlers
Hi Ken,

Thank you for your information.

So the error message does not concern the current version at all. I had also read it that way, but it was not clear to me why it came to this message at all.

Why should I block the IP address if the error message has no function?

Best regards,
Ralph
Average of ratings: -
In reply to Ralph Ballier

Re: ModSecurity: Warning

by Ken Task -
Picture of Particularly helpful Moodlers

ModSecurity has CVS lookups turned on - CVS has vulnerabilities going back many older versions of software.   So MS just informed that's all.

I suggested that IF you found that IP address was 'pesky' .... meaning scanning not only your web server but other services ... like ssh/ftp/DNS/whatever, that it would be wise to block the 'bad actor'. 

Up to you ... it's your server!  Proactive rather than re-active - your choice.

'SoS', Ken




Average of ratings: -
In reply to Ken Task

Re: ModSecurity: Warning

by Ralph Ballier -
Picture of Particularly helpful Moodlers
The address belongs to one of our customers.

I assume that the error message comes even though the customer has not tried anything bad. Or am I wrong about that?

Greetings
Ralph
Average of ratings: -
In reply to Ralph Ballier

Re: ModSecurity: Warning

by Ken Task -
Picture of Particularly helpful Moodlers

'Customer' may not have ... but then again, how well do you know of customers devices/computers?

The error does mention badge as well as

"/rules/comodo_free/30_Apps_OtherApps.conf" as the rule file which is additional to the conf/rule files.

/user/profile.php Did customer look at their own profile where they would see a badge ... correct?

It might be a false positive - ID number 240210  Could exclude.

So, are there other users that have badges that produce the same error?

If you were to be watching that log, loggedin as admin, then login as that user, does the rule trip when visiting profile?

Dunno what to tell ya really!

'SoS', Ken


Average of ratings: -