Mod_security blocking with phplist developers name in quoted code

pancakehollow · November 30, 2020, 10:16pm

I know this is not specifically a phplist issue, but the block of my own ip address against itself is the result of phplist running.

Strange - mod_security is issuing a block of my phplist server’s IP against itself because of a mod_security rule called: /OWASP3/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf.

Deep inside the cited mod_security rules/responses is the name of one of phplist’s developers (removed in the below code for privacy) and I’m pretty sure this is not a feature.

Don’t know if this is a configuration issue, or security issue. I doubt it’s a hack but why would mod_security flag this? Below is the mod_security log file with the developer’s name replaced with a long series of zeros 000000000:

[Mon Nov 30 10:26:01.906939 2020] [:error] [pid 3879:tid 47801705469696] [client xx.xx.xx.xx:47782] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 4). Matched phrase “Warning:” at RESPONSE_BODY. [file “/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf”] [line “25”] [id “953100”] [rev “3”] [msg “PHP Information Leakage”] [data “Matched Data: Warning: found within RESPONSE_BODY: \x0a<html lang=\x22en\x22 dir=\x22ltr\x22 prefix=\x22og: http://ogp.me/ns#\x22>\x0a\x0a\x0a<meta name=\x22viewport\x22 content=\x22width=device-width, initial-scale=1\x22 />\x0a<meta name=\x22License\x22 content=\x22GNU Affero General Public License, http://www.gnu.org/licenses/agpl.html\x22 />\x0a<meta name=\x22Author\x22 content=\x220000000000000 - http://www.phplist.com\x22 />\x0a<meta name=…”] [severity “ERROR”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “9”] [tag “application-multi”] [tag “language-php”] [tag “platform-multi”] [tag “attack-disclosure”] [tag “OWASP_CRS/LEAKAGE/ERRORS_PHP”] [tag “WASCTC/WASC-13”] [tag "OWASP_TO [hostname “www.xx.xx.xx.xx.com”] [uri “/lists/admin/index.php”] [unique_id “X8UPCeWMuVOodPcTNVMQ3gAAAJA”], referer: https://www.xx.xx.xx.xx.com/lists/admin/?page=import&tk=9be9915e8f550da392f8b9d
[Mon Nov 30 10:26:10.415117 2020] [:error] [pid 3850:tid 47801694963456] [client xx.xx.xx.xx:47784] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 4). Matched phrase “Warning:” at RESPONSE_BODY. [file “/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf”] [line “25”] [id “953100”] [rev “3”] [msg “PHP Information Leakage”] [data “Matched Data: Warning: found within RESPONSE_BODY: \x0a<html lang=\x22en\x22 dir=\x22ltr\x22 prefix=\x22og: http://ogp.me/ns#\x22>\x0a\x0a\x0a<meta name=\x22viewport\x22 content=\x22width=device-width, initial-scale=1\x22 />\x0a<meta name=\x22License\x22 content=\x22GNU Affero General Public License, http://www.gnu.org/licenses/agpl.html\x22 />\x0a<meta name=\x22Author\x22 content=\x220000000000000 - http://www.phplist.com\x22 />\x0a<meta name=…”] [severity “ERROR”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “9”] [tag “application-multi”] [tag “language-php”] [tag “platform-multi”] [tag “attack-disclosure”] [tag “OWASP_CRS/LEAKAGE/ERRORS_PHP”] [tag “WASCTC/WASC-13”] [tag "OWASP_TO [hostname “www.xx.xx.xx.xx.com”] [uri “/lists/admin/index.php”] [unique_id “X8UPEuH-zS7IDgq1tNB1ZAAAAAs”], referer: https://www.xx.xx.xx.xx.com/lists/admin/?page=import&tk=9be9915e8fe8f4df29f550da392f8b9d
[Mon Nov 30 10:26:39.309648 2020] [:error] [pid 3881:tid 47801697064704] [client xx.xx.xx.xx:47788] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 4). Matched phrase “Warning:” at RESPONSE_BODY. [file “/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf”] [line “25”] [id “953100”] [rev “3”] [msg “PHP Information Leakage”] [data “Matched Data: Warning: found within RESPONSE_BODY: \x0a<html lang=\x22en\x22 dir=\x22ltr\x22 prefix=\x22og: http://ogp.me/ns#\x22>\x0a\x0a\x0a<meta name=\x22viewport\x22 content=\x22width=device-width, initial-scale=1\x22 />\x0a<meta name=\x22License\x22 content=\x22GNU Affero General Public License, http://www.gnu.org/licenses/agpl.html\x22 />\x0a<meta name=\x22Author\x22 content=\x220000000000000 - http://www.phplist.com\x22 />\x0a<meta name=…”] [severity “ERROR”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “9”] [tag “application-multi”] [tag “language-php”] [tag “platform-multi”] [tag “attack-disclosure”] [tag “OWASP_CRS/LEAKAGE/ERRORS_PHP”] [tag “WASCTC/WASC-13”] [tag "OWASP_TO [hostname “www.xx.xx.xx.xx.com”] [uri “/lists/admin/index.php”] [unique_id “X8UPL-gJkd8N2 YgAAAQw”], referer: https://www.xx.xx.xx.xx.com/lists/admin/?page=import&tk=9be9df29f550da392f8b9d

duncanc · December 1, 2020, 12:46pm

@pancakehollow It seems to be complaining about the phrase “Warning:” being in the html generated by phplist. The log entry includes the start of the html which is why it has the developer’s name (look at the html of any admin page to confirm that).
I think that you should ask for that rule to be disabled.