Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

WordPress JetPack False Positive #1737

Open
manuelroccon opened this issue Apr 11, 2020 · 0 comments
Open

WordPress JetPack False Positive #1737

manuelroccon opened this issue Apr 11, 2020 · 0 comments
Assignees
@lifeforms
Labels
False Positive

Comments

@manuelroccon
Copy link

manuelroccon commented Apr 11, 2020
edited
Loading

Type of Issue

False positive

Description

Issue with Wordpress JetPack plugin

Audit Logs / Triggered Rule Numbers

--a8dd7334-A--
[11/Apr/2020:15:19:23 +0300] XpG1y2B9vAtGdcg7i3j4AAAAEE 192.0.101.214 1088 123.123.123.123 443
--a8dd7334-B--
POST /?for=jetpack&jetpack=comms&token=&timestamp=&nonce=&body-hash=&signature=%3D HTTP/1.1
Host: www.domain.com
User-Agent: Jetpack by WordPress.com
Accept: /
Accept-Encoding: deflate, gzip
Referer: https://www.domain.com/?for=jetpack&jetpack=comms&token=&timestamp=&nonce=&body-hash=
Authorization: X_JETPACK token="" timestamp="" nonce="" body-hash="=" signature="="
Connection: close
Content-Length: 114
Content-Type: application/x-www-form-urlencoded

--a8dd7334-C--

jetpack.testConnection --a8dd7334-F-- HTTP/1.1 403 Forbidden X-Powered-By: PHP/7.3.16 Cache-Control: no-cache Content-Encoding: gzip Vary: User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8

--a8dd7334-H--
Message: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "www.domain.com"] [uri "/index.php"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"]
Action: Intercepted (phase 2)
Apache-Handler: proxy:fcgi://php-fpm
Stopwatch: 1586607563182272 11167 (- - -)
Stopwatch2: 1586607563182272 11167; combined=3345, p1=553, p2=2622, p3=0, p4=0, p5=170, sr=70, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Engine-Mode: "ENABLED"

--a8dd7334-Z--

Your Environment

  • CRS version (e.g., v3.2.0):
  • Paranoia level setting:
  • ModSecurity version (e.g., 2.9.3):
  • Web Server and version (e.g., apache 2.4.41):
  • Operating System and version:

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lifeforms lifeforms

Labels
False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lifeforms @manuelroccon