Conflict with strict mod_security

  • Hello! Long-time user of your plugin and install it on every site I create!

    I’ve run into a new issue for the first time. I setup a site on a new VPS server that has really strict mod_security rules. DebugPress is triggering block rules which result in 403 Forbidden errors that block site access. The blocking is only happening where the DebugPress display is enabled (if on frontend, frontend gets 403 errors, if on admin panel, admin panel gets 403 errors).

    I’m sure different rules get tripped based on what debug errors are caught/displayed in DebugPress, but I’ve caught it triggering these rules:

    214620 – “COMODO WAF: PHP source code leakage||site_name.com|F|3”
    214940 – “COMODO WAF: mysql SQL Information Leakage||site_name.com|F|2”

    Here’s a sample audit log report:

    Message: Warning. Pattern match "(?:\\b(?:call_user_func|f(?:get(?:c|s{0,1}s)|open|read|scanf|tp_(?:nb_){0,1}f{0,1}(?:ge|pu)t|write)|gz(?:compress|open|read|(?:encod|writ)e)|move_uploaded_file|read(?:dir|(?:gz){0,1}file)|s(?:candir|ession_start)|(?:bz|proc_)open)|\\$_(?:session|(?:ge| ..." at RESPONSE_BODY. [file "/etc/apache2/modsecurity.d/rules/comodo_free/16_Outgoing_FilterPHP.conf"] [line "17"] [id "214620"] [rev "1"] [msg "COMODO WAF: PHP source code leakage||site_name.com|F|3"] [data "Matched Data: fopen found within RESPONSE_BODY: <!doctype html>\x0a<html lang=\x22en-US\x22>\x0a\x0a<head>\x0a    <meta charset=\x22UTF-8\x22>\x0a    <meta name=\x22viewport\x22 content=\x22width=device-width, initial-scale=1\x22>\x0a    <link rel=\x22profile\x22 href=\x22https://gmpg.org/xfn/11\x22>\x0a    <link rel=\x22apple-touch-icon\x22 sizes=\x22180x180\x22 href=\x22/apple-touch-icon.png\x22>\x0a    <link rel=\x22icon\x22 type=\x22image/png\x22 sizes=\x2232x32\x22 href=\x22/favicon-32x32.png\x22>\x..."] [severity "ERROR

    Message: Warning. Pattern match "(?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\\(\\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right ..." at MATCHED_VAR. [file "/etc/apache2/modsecurity.d/rules/comodo_free/17_Outgoing_FilterSQL.conf"] [line "91"] [id "218140"] [rev "2"] [msg "COMODO WAF: mysql SQL Information Leakage||site_name.com|F|2"] [data "Matched Data: exif found within MATCHED_VAR: <!doctype html>\x0a<html lang=\x22en-US\x22>\x0a\x0a<head>\x0a    <meta charset=\x22UTF-8\x22>\x0a    <meta name=\x22viewport\x22 content=\x22width=device-width, initial-scale=1\x22>\x0a    <link rel=\x22profile\x22 href=\x22https://gmpg.org/xfn/11\x22>\x0a    <link rel=\x22apple-touch-icon\x22 sizes=\x22180x180\x22 href=\x22/apple-touch-icon.png\x22>\x0a    <link rel=\x22icon\x22 type=\x22image/png\x22 sizes=\x2232x32\x22 href=\x22/favicon-32x32.png\x22>\x0a ..."] [severity "C

    Message: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/apache2/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 9|site_name.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"]

    Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 111.222.111.222] ModSecurity: Warning. Pattern match "(?:\\\\\\\\b(?:call_user_func|f(?:get(?:c|s{0,1}s)|open|read|scanf|tp_(?:nb_){0,1}f{0,1}(?:ge|pu)t|write)|gz(?:compress|open|read|(?:encod|writ)e)|move_uploaded_file|read(?:dir|(?:gz){0,1}file)|s(?:candir|ession_start)|(?:bz|proc_)open)|\\\\\\\\$_(?:session|(?:ge| ..." at RESPONSE_BODY. [file "/etc/apache2/modsecurity.d/rules/comodo_free/16_Outgoing_FilterPHP.conf"] [line "17"] [id "214620"] [rev "1"] [msg "COMODO WAF: PHP source code leakage||site_name.com|F|3"] [data "Matched Data: fopen found within RESPONSE_BODY: <!doctype html>\\\\x0a<html lang=\\\\x22en-US\\\\x22>\\\\x0a\\\\x0a<head>\\\\x0a    <meta charset=\\\\x22UTF-8\\\\x22>\\\\x0a    <meta name=\\\\x22viewport\\\\x22 content=\\\\x22width=device-width, initial-scale=1\\\\x22>\\\\x0a    <link rel=\\\\x22profile\\\\x22 href=\\\\x22https://gmpg.org/xfn/11\\\\x22>\\\\x0a    <link rel=\\\\x22apple-touch-icon\\\\x22 sizes=\\\\x22180x180\\\\x22 href=\\\\x22/apple-touch-icon.png\\\\x22>\\\\x0a    <link rel=\\\\x22icon\\\\x22 type=\\\\x22image/png\\\\x22 sizes=\\\\x2232x32\\\\x22 href=\\\\x22/favicon-32x32.png\\\\x22>\\\\x..."] [severity "ERROR [hostname "site_name.com"] [uri "/index.php"] [unique_id "ZvxV5RvmfOHM8wlcfKIlOwAAAFQ"]

    Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 111.222.111.222] ModSecurity: Warning. Pattern match "(?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\\\\\\\\(\\\\\\\\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right ..." at MATCHED_VAR. [file "/etc/apache2/modsecurity.d/rules/comodo_free/17_Outgoing_FilterSQL.conf"] [line "91"] [id "218140"] [rev "2"] [msg "COMODO WAF: mysql SQL Information Leakage||site_name.com|F|2"] [data "Matched Data: exif found within MATCHED_VAR: <!doctype html>\\\\x0a<html lang=\\\\x22en-US\\\\x22>\\\\x0a\\\\x0a<head>\\\\x0a    <meta charset=\\\\x22UTF-8\\\\x22>\\\\x0a    <meta name=\\\\x22viewport\\\\x22 content=\\\\x22width=device-width, initial-scale=1\\\\x22>\\\\x0a    <link rel=\\\\x22profile\\\\x22 href=\\\\x22https://gmpg.org/xfn/11\\\\x22>\\\\x0a    <link rel=\\\\x22apple-touch-icon\\\\x22 sizes=\\\\x22180x180\\\\x22 href=\\\\x22/apple-touch-icon.png\\\\x22>\\\\x0a    <link rel=\\\\x22icon\\\\x22 type=\\\\x22image/png\\\\x22 sizes=\\\\x2232x32\\\\x22 href=\\\\x22/favicon-32x32.png\\\\x22>\\\\x0a ..."] [severity "C [hostname "site_name.com"] [uri "/index.php"] [unique_id "ZvxV5RvmfOHM8wlcfKIlOwAAAFQ"]

    Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client 111.222.111.222] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/apache2/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 9|site_name.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "site_name.com"] [uri "/index.php"] [unique_id "ZvxV5RvmfOHM8wlcfKIlOwAAAFQ"]

    Apache-Handler: proxy:unix:/var/www/vhosts/system/site_name.com/php-fpm.sock|fcgi://127.0.0.1:9000

    Stopwatch: 1727813093603815 10545643 (- - -)

    Stopwatch2: 1727813093603815 10545643; combined=7027052, p1=490, p2=6118, p3=116, p4=7020029, p5=234, sr=144, sw=65, l=0, gc=0

    Response-Body-Transformed: Dechunked

    Producer: ModSecurity for Apache/2.9.7 (https://www.modsecurity.org/); CWAF_Apache.

    Server: Apache

    WebApp-Info: "default" "SESNSITIVE_DATA_REMOVED" "-"

    Engine-Mode: "ENABLED"

    I know there’s probably not much you can do about this on your end, but I wanted to report it anyways.

    If anyone else encounters this, the only solutions are to:
    1.) disable mod_security
    2.) disable DebugPress
    3.) disable only specific mod_security rules being tripped

    I recommend #3 as the best option while actively developing and using DebugPress, but option #2 as the best option once done developing and launching the site live (and re-enable any disabled rules for the live site). You should be able to enable/disable specific rules in your web hosting admin panel, at the command line, or globally in the mod_security config file.

    • This topic was modified 1 month, 2 weeks ago by codejp3. Reason: fixed typo
Viewing 1 replies (of 1 total)
  • Plugin Author Milan Petrovic

    (@gdragon)

    Thanks for the explanation. I am not sur exactly whcih rule is triggered, so I can try and modify the code around it, and on my website where mod_security is used, I have not seen any issues. Considering how different hosting companies deploy mod_security, I am not sure who is actually affected.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.