FP creating a new post using the Classic Editor

[pesc]

System

• Wordpress: Version 6.7.1 (Default installation, with the official Classic Editor) Plugin)
• CRS: 4.6.0 (same Problem with 4.11.0)
• CRS Plugin: wordpress-rule-exclusions-plugin (master)
• Apache 2.4.62
• ModSecurity 2.9.6 (Apache)

Trigger

Install & Activate the "official Classic Editor" Plugin -> Posts -> Press on "Filter" (see URL changes: [...]s&post_status=all&post_type=post&action=-1&[...]) -> "Add New Post" -> Write "Test" -> Publish -> 403

Logs

Request

(shorted - but relevant data is there )

curl --location 'https://website.xyz/wp-admin/post.php' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'referredby=https://website.xyz/wp-admin/edit.php?s=user&post_status=all&post_type=post&action=-1&m=0&cat=0&post_format&paged=1&action2=-1' \
--data-urlencode '_wp_original_http_referer=https://website.xyz/wp-admin/edit.php?s=user&post_status=all&post_type=post&action=-1&m=0&cat=0&post_format&paged=1&action2=-1'

Sandbox

This payload has been tested against the OWASP ModSecurity Core Rule Set 
web application firewall. 932235 PL1 Remote Command Execution: Unix Command Injection (command without evasion)
932235 PL1 Remote Command Execution: Unix Command Injection (command without evasion)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 10)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=10, detection=10, per_pl=10-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=10, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=10)

Error Logs

user website.xyz [Tue Jan 28 16:21:23.002743 2025] [-:error] [pid 4362:tid 37197947392] [client 1.1.1.1:58504] [client 1.1.1.1] ModSecurity: Warning. Pattern match "(?i)(?:b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\ ..." at ARGS:referredby. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "201"] [id "932235"] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: =post& found within ARGS:referredby: https://website.xyz/wp-admin/edit.php?s=user&post_status=all&post_type=post&action=-1&m=0&cat=0&post_format&paged=1&action2=-1"] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "website.xyz"] [uri "/wp-admin/post.php"] [unique_id "Z5j18n58sdAKWfyyGwxJ5gAAAH4"], referer https://website.xyz/wp-admin/post-new.php?wp-post-new-reload=true
user website.xyz [Tue Jan 28 16:21:23.003122 2025] [-:error] [pid 4362:tid 37197947392] [client 1.1.1.1:58504] [client 1.1.1.1] ModSecurity: Warning. Pattern match "(?i)(?:b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\ ..." at ARGS:_wp_original_http_referer. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "201"] [id "932235"] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: =post& found within ARGS:_wp_original_http_referer: https://website.xyz/wp-admin/edit.php?s=user&post_status=all&post_type=post&action=-1&m=0&cat=0&post_format&paged=1&action2=-1"] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "website.xyz"] [uri "/wp-admin/post.php"] [unique_id "Z5j18n58sdAKWfyyGwxJ5gAAAH4"], referer https://website.xyz/wp-admin/post-new.php?wp-post-new-reload=true

Triggered Rules:

• 932235: Twice

Expected Result

Creating a new Post with the "Classic Editor" and having a _wp_original_http_referer and referredby with &post_type=post&action=-1& should not lead to a blocked request. I'm aware that we only cover "vanilla" Wordpress. But I'm counting the "Classic Editor" to the basic function of Wordpress 👍

There are several "exclusions" for the _wp_http_referer but not for _wp_original_http_referer and referredby: https://github.com/coreruleset/wordpress-rule-exclusions-plugin/blob/master/plugins/wordpress-rule-exclusions-before.conf#L452

[theseion]

Thanks for the (perfect!) report @pesc. I'm not a Wordpress user but your argument makes sense to me. I've created a PR (#71) that should fix your problem. I've only addressed that particular FP but there might be more, I imagine.

[EsadCetiner]

@pesc Just to confirm, does this false positive only happen on the /wp-admin/post.php endpoint or does this false positive happen on other endpoints?

[pesc]

Hi

Thanks @theseion @EsadCetiner

Just tested it with the "Tags" endpoint (/wp-admin/edit-tags.php): Going to "Posts" -> "Tags" -> Search for an Tag (or leave it blank and hit "Search Tags") -> edit-tags.php?taxonomy=post_tag&post_type=post&orderby=count&order=asc&s -> Edit a Tag -> CRS triggers

Same there:

user website.xyz [Wed Jan 29 08:30:47.554180 2025] [-:error] [pid 43840:tid 36338905856] [client 1.1.1.1:49609] [client 1.1.1.1] ModSecurity: Warning. Pattern match "(?i)(?:b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\ ..." at ARGS:_wp_original_http_referer. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "201"] [id "932235"] [msg "Remote Command Execution: Unix Command Injection (command without evasion)"] [data "Matched Data: =post& found within ARGS:_wp_original_http_referer: https:// website.xyz/wp-admin/edit-tags.php?taxonomy=post_tag&post_type=post&orderby=count&order=asc&s"] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname " website.xyz"] [uri "/wp-admin/edit-tags.php"] [unique_id "Z5nZJ2pZAPZM0HNgqVP5IAAAaxM"], referer https:// website.xyz/wp-admin/term.php?taxonomy=post_tag&tag_ID=3&post_type=post&wp_http_referer=%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dpost_tag%26post_type%3Dpost%26orderby%3Dcount%26order%3Dasc%26s%3D

I think referredby and _wp_original_http_referer is not only used in the /wp-admin/post.php

• https://github.com/search?q=repo%3AWordPress%2FWordPress+wp_original_referer_field&type=code
• https://github.com/search?q=repo%3AWordPress%2FWordPress%20referredby&type=code

[theseion]

@pesc You posted the curl request as GET. Is that correct? Since it's a form submission (according to the content type at least), it is probably a POST (GET with body is usually blocked). curl converts your call to POST automatically, so I assume that's true.

[theseion]

@pesc I've merged the PR. Could take the plugin for a test drive before we cut a new release?

[pesc]

@pesc You posted the curl request as GET. Is that correct? Since it's a form submission (according to the content type at least), it is probably a POST (GET with body is usually blocked). curl converts your call to POST automatically, so I assume that's true.

Yes it is a POST. I've imported the request from the browser to Postman to play around with the Headers/Body and then exported it from there. -X POST is missing there.

[pesc]

@pesc I've merged the PR. Could take the plugin for a test drive before we cut a new release?

Sure, will test and let you know. Thank you very much

[pesc]

@pesc I've merged the PR. Could take the plugin for a test drive before we cut a new release?

All good! Thank you very much! 💯

And just saw that you added even more #72

[theseion]

Thanks @pesc!