(2023-04-28, 07:52:05)islander Wrote:(2023-04-28, 07:15:22)leestwise Wrote: After wiping the website and loading only the base GS 3.3.18.1CE, the save of header.inc.php by the theme editor fails. After temporarily turning ModSecurity off, it succeeds. Here are the three log messages generated by ModSecurity:
- [Wed Apr 26 18:55:17.533085 2023] [:error] [pid 177410:tid 124190993872640] [client redacted] [client redacted] ModSecurity: Warning. Pattern match "(?:\\\\bhttp/\\\\d|<(?:html|meta)\\\\b)" at ARGS:content. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "108"] [id "921130"] [msg "HTTP Response Splitting Attack"] [data "Matched Data: <html found within ARGS:content: <?php if (!defined('in_gs')) {\\x0d\\x0a die('you cannot load this page directly.');\\x0d\\x0a}\\x0d\\x0a/****************************************************\\x0d\\x0a *\\x0d\\x0a * @file: \\x09\\x09header.inc.php\\x0d\\x0a * @package:\\x09getsimple ce\\x0d\\x0a * @action:\\x09\\x09starter for getsimple cms ce\\x0d\\x0a *\\x0d\\x0a *****************************************************/\\x0d\\x0a?>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a<!doctype html data->\\x0d\\x0a<html <?php echo ($mode !== ''..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/34"] [hostname "stewkitt.com"] [uri "/admin/theme-edit.php"] [unique_id "redacted"], referer: https://stewkitt.com/admin/theme-edit.ph...php&s=Edit
- [Wed Apr 26 18:55:17.535610 2023] [:error] [pid 177410:tid 124190993872640] [client redacted] [client redacted] ModSecurity: Warning. Pattern match "(?:<\\\\?(?:[^x]|x[^m]|xm[^l]|xml[^\\\\s]|xml$|$)|<\\\\?php|\\\\[(?:\\\\/|\\\\\\\\)?php\\\\])" at ARGS:content. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "65"] [id "933100"] [msg "PHP Injection Attack: PHP Open Tag Found"] [data "Matched Data: <?p found within ARGS:content: <?php if (!defined('in_gs')) {\\x0d\\x0a die('you cannot load this page directly.');\\x0d\\x0a}\\x0d\\x0a/****************************************************\\x0d\\x0a *\\x0d\\x0a * @file: \\x09\\x09header.inc.php\\x0d\\x0a * @package:\\x09getsimple ce\\x0d\\x0a * @action:\\x09\\x09starter for getsimple cms ce\\x0d\\x0a *\\x0d\\x0a *****************************************************/\\x0d\\x0a?>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a<!doctype html data->\\x0d\\x0a<html <?php echo ($mode !== '' ?..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "stewkitt.com"] [uri "/admin/theme-edit.php"] [unique_id "redacted"], referer: https://stewkitt.com/admin/theme-edit.ph...php&s=Edit
- [Wed Apr 26 18:55:17.545415 2023] [:error] [pid 177410:tid 124190993872640] [client redacted] [client redacted] ModSecurity: Access denied with code 418 (phase 2). Operator GE matched 7 at TX:anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "stewkitt.com"] [uri "/admin/theme-edit.php"] [unique_id "redacted"], referer: https://stewkitt.com/admin/theme-edit.ph...php&s=Edit
...lee
Unfortunately, I dont think there is much that can be done, I am experiencing something similar with one of my providers.
Mod-Security is like a rule based firewall, that allows some actions and blocks others.
If you have a vps you can adjust these rules, but if you are on some sort of shared hosting, it is very doubtful that you will be able to.
So the only work-around is to either deactivate mod_sec when using themes, or just upload them via ftp.
From my understanding, there is a flag any time the server detects a file being saved which has php which can be ran.
Its flags it as danger, and will not allow it.
On a vps, you can adjust these rules to say that it is you, so it can ignore it.
But most vps are very expensive, so not really worth it for a small GS site.
Thank you for your help. I am perfectly happy with editing offline and uploading with FTP, but I certainly wanted to run the problem to ground. Thanks again for your help with doing that. It seems a shame not to be able to use the full functionality of the admin process—Oh, well.
Given your explanation about saving PHP files being a problem for ModSecurity, why does your SingleFileInstaller/Updater work without turning off ModSecurity (which is what I did)?
...lee