403 Issues adding attachments with latest Modsec Rules

[The Old Man]

Hi,

A few days ago I logged into my cloud VPS WHM and was prompted to install updated Modsec rules from OWASP:

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS

I installed Vendor rule set and all seemed okay but I've since become aware of complaints from my IPS members that they cannot post attachments without getting a 403 Error. I have been able to replicate the issue simply by trying to post a reply with an upload image attachments; I get a 403 Forbidden Error.

I'm not too experienced with this but the Modsec Tools Hitlist in WHM shows no hits. I don't currently have root access. 

(I've also found incidentally I can't save a Wordpress theme CSS/templates, even if it contains no changes and I simply click on the update without seeing the same 403 Forbidden Error unless I switch Modsec off temporarily.)

I disabled the rule REQUEST-913-SCANNER-DETECTION and the issue went away.

I reactivated it and the 403 returned.

I tried disabling rule REQUEST-933-APPLICATION-ATTACK-PHP and it didn't stop the 403. 

I disabled it and disabled the first one 913, but the 403 is still happening, even after a graceful server reboot.

Has anyone else come across this? I don't want to turn Modsec off completely.

Many thanks.

 

Server config:

Managed VPS with SSD

CENTOS 6.9 x86_64 virtuozzo

Cpanel and WHM 64 build 15

PHP7.0.17

48 CPUs 4GB RAM

Load 0.03 (48 cpus) / Mem usage 21.93%

mysql (5.6.35)

Easy Apache 3

Running 4 sites (1+3 addon domains/sites):-

4.1.19.2 Forums, Chatbox, Gallery, Blogs and main website

4.1.19.2 Pages & Gallery

4.1.19.2 Gallery and main website

4.1.19.2 Gallery and Wordpress main site

[The Old Man]

The log has just started showing entries in the Hitlist as I've tried to save replies with image attachments.

The rules being triggered as false positives seem to be 949110, 980130 and 941160.

some examples

CRITICAL403   949110: Inbound Anomaly Score Exceeded (Total Score: 10)

Request:	POST /XxXxXx/topic/26727-test-post/?failedReply=1
Action Description:	Access denied with code 403 (phase 2).
Justification:	Operator GE matched 5 at TX:anomaly_score.

 980130: Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=10,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): NoScript XSS InjectionChecker: HTML Injection

Request:	POST /XxXxXx/topic/26727-test-post/
Action Description:	Warning.
Justification:	Operator GE matched 5 at TX:inbound_anomaly_score.

403

 941160: NoScript XSS InjectionChecker: HTML Injection

Request:	POST /XxXXx/topic/26727-test-post/
Action Description:	Warning.
Justification:	Pattern match "(?i)<[^\\w<>]*(?:[^<>\"'\\s]*:)?[^\\w<>]*(?:\\W*?s\\W*?c\\W*?r\\W*?i\\W*?p\\W*?t|\\W*?f\\W*?o\\W*?r\\W*?m|\\W*?s\\W*?t\\W*?y\\W*?l\\W*?e|\\W*?s\\W*?v\\W*?g|\\W*?m\\W*?a\\W*?r\\W*?q\\W*?u\\W*?e\\W*?e|(?:\\W*?l\\W*?i\\W*?n\\W*?k|\\W*?o\\W*?b\\W*?j\\W*?e\ ..." at ARGS:topic_comment_26727.

 

[The Old Man]

Polite bump! Nobody else having these Modsec issues with the latest OWASP ruleset?

Many thanks.

 

[nodle]

I don't know if this will help or not, but I had a problem with Mod security when I changed hosts once, I couldn't get attachments to show. They had me add:

SecFilterEngine Off
SecFilterScanPOST Off

Into my .htaccess file, which then allowed them to work. Don't know if it's the same problem that you are having but does sound familiar.

[The Old Man]

Thanks nodle, I'll have to check that as I think it may leave the server less vulnerable.