phpMyAdmin "on" cookie blocked by libinjection

[zimmerle]

@quenenni commented on Wed Jun 21 2017

Debian Jessie
libapache2-modsecurity v2.8.0-3
CRS v3.0.2

PhpMyAdmin is using pmaUser-2 & pmaPass-2 as cookie names.
Not always, I could use PMA for a time.
But it's the second time today that suddenly, while doing stuff, modsec decided to block all my requests.
And the reason was these 2 cookies.

I'm going to add an exception that stops the 2 rules when working with PMA, but aren't those 2 rules to harsh in a general sense?

´´´
[Wed Jun 21 15:25:10.956736 2017] [:error] [pid 5924] [client xxx.xxx.xxx.xx:50902] ModSecurity: Access denied with code 412 (phase 2). detected XSS using libinjection. [file "/etc/modsecurity/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "64"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: connection found within REQUEST_COOKIES:pmaPass-2: on+BHFUPFdfsWTEJdw8wug=="] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "yyyyy.net"] [uri "/alternc-sql/index.php"] [unique_id "WUpztolKzlsAABXPBZkAAAAD"]

´´´
[Thu Jun 22 00:31:20.676606 2017] [:error] [pid 30261] [client xxx.xxx.xxx.xxx:53590] ModSecurity: Access denied with code 412 (phase 2). Pattern match "(?i)([\\\\s\\"'`;\\\\/0-9\\\\=\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]+on[a-zA-Z]+[\\\\s\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]*?=)" at REQUEST_COOKIES:pmaUser-2. [file "/etc/modsecurity/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "133"] [id "941120"] [rev "2"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 6oNo= found within REQUEST_COOKIES:pmaUser-2: ADNYD7f6oNo="] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "yyyy.net"] [uri "/alternc-sql/sql.php"] [unique_id "WUrzuIlKzlsAAHGX4rAAAAAe"]

---

@zimmerle commented on Wed Jun 21 2017

Hi @quenenni, it seems like you are facing a problem on OWASP CRS. The better approach is to open this issue on OWASP CRS Project.

[lifeforms]

This is another instance of libinjection seeing ONfoo= as XSS. Another example was #663.

I discussed this in client9/libinjection#115 and I think it should have been fixed by replacing the onXXX matching with a discrete blacklist in client9/libinjection#118.

So this issue should be resolved when ModSecurity targets a new libinjection release.

However, I have not been able to verify the fix with a new libinjection build. It could be that I've been using an incorrect commit. So let's keep this issue open while we do a check on a new libinjection version.

[quenenni]

You 're totally right @zimmerle and I'm very sorry about that (it's not the first time, damnit.. The saying "A donkey does not stumble twice on the same stone" doesn't fit for me this time :/ ).

@lifeforms : Thanks for the explanation. Sounds good.
"The new libinjection release", you mean libinjection in modsec v3?

[lifeforms]

@quenenni I hope we see a ModSecurity 2.9.2 with an updated libinjection, maybe this summer? ;) But let me first check if a new version of libinjection really fixes the problem. Otherwise we should go over there in the bug tracker again!

[dune73]

We can close this here, can't we?

[quenenni]

If you're asking me, you can.
But if you read lifeforms'last post, I'd say no as he is saying specifically that he would like to keep it open and be able to be sure there is a fix for this before closing it.
I must say I find your intervention here quite strange. :)

[dune73]

True.

I did not read it very carefully it seems. I got the impression it was a libinjection thing and I am a bit overwhelmed with the number of issues we are actively working on. So I wish we could close this. :)

[lifeforms]

FYI a possible fix for this libinjection FP is discussed in:

client9/libinjection#143

[github-actions]

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

[diablodale]

ping, not yet addressed?