ModSecurity and OWASP settings

wikenigma

Hello All . . .
This might be of help to anyone running DW on a system where ModSecurity and OWASP rules are built-in part of the anti-h4cking measures on a server setup.
On the setup I've been using, a large number of '403' (forbidden) were being generated by the server when certain words and phrases were used in a DW page (on page save). Some of the words are in very common usage - such as "having" and "nerve".
The 403 errors meant that DW was unable to save the page, and jumped instead to the default 'This page does not exist' page.
After a series of tests, my server provider has found that the following OWASP rules were being triggered by DW.
933160
941120
942190
942230
942360
They have now been disabled on the server (for DW only) and all is now working fine.
If anyone has been having similar problems, give it a try.

wikenigma

My server provider has found another rule that was preventing Dokuwiki edits
933210
Could I ask if anyone else has had problems with ModSecurity and OWASP preventing DW from operating correctly? As I understand it, the systems are pretty much standard installations for hosting providers.

michaelsy

wikenigma Could I ask if anyone else has had problems with ModSecurity and OWASP preventing DW from operating correctly?

I don't know what it is, but I don't have a problem with it with 1&1/IONOS (one of the big players here in Germany).

wikenigma As I understand it, the systems are pretty much standard installations for hosting providers.

This is not the first time that there have been problems with individual hosting providers that do not seem to occur with many other providers.

Which provider are you with?

Thanks for sharing your experience!

- Michael Sy.

wikenigma

I've since come across even more 'rules' which were preventing proper DW operation.
It depends on the the content of the page being saved. If the page contains words or phrases or sequences which are blacklisted in the OWASP rules within ModSecurity, the page won't save.
The new rules that have been found are 941310, 932100, 932105, 921110.
Given that the OWASP system is ubiquitous in the hosting-provider world, I'm guessing that others must be having problems with it,
It's hard to know what can be done to get around it, as it's obviously not the 'fault' of the DW system. But perhaps someone can think of a workaround? As h4cking prevention becomes more and more necessary, I can only see this syndrome getting worse in the future.

michitux

Would it be an option to somehow "encrypt" the page content using javascript on submission or are there also rules, e.g., against base64-encoded content? By "encryption" I mean something simple like base64 or just an XOR with a (possibly repeated) random string that is also submitted to the server. This provides no security, but should avoid triggering simple rules.

wikenigma

Thanks michitux . . .
Maybe that would help.
Or maybe there could be a log somewhere of 'known' commonly-offended rules that could be passed on to hosting providers so that they can be bypassed for DW installations?

michaelsy

wikenigma Or maybe there could be ...

It could be helpful for third parties if it were first known with which provider these problems occur.

- Michael Sy.

cyrille37

Hello
I've got a similar problem with OVH mutualized web hosting, the file upload trigger (uri "/lib/exe/ajax.php")

#960010 - Request content type is not allowed by policy: "application/octet-stream"
from modsecurity/base_rules/modsecurity_crs_30_http_policy.conf

[Fri Jun 18 09:35:36 2021] [error] [client xxx.xxx.206.53] ModSecurity: Access denied with code 403 (phase 2). Match of "within %{tx.allowed_request_content_type}" against "TX:0" required. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_30_http_policy.conf"] [line "63"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/octet-stream"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "xxx"] [uri "/lib/exe/ajax.php"] [unique_id "xxx"]

cyrille37

On OVH mutulized you can completely disable ModSecurity

Global DokuWiki Links