coreruleset icon indicating copy to clipboard operation
coreruleset copied to clipboard
verified publisher icon coreruleset

False positive response when usting wordpress + woocommerce

Open Munrok opened this issue 2 years ago • 1 comments

When trying to update products in the store (WordPress + WooCommerce), I encounter the following false positives:

ModSecurity: Warning. Matched "Operator `Rx' with parameter `\xbc[^\xbe>]*[\xbe>]|<[^\xbe]*\xbe' against variable `ARGS:data[wp_autosave][excerpt]' (Value: `Warsztaty, podczas kt\xc3\xb3rych uczestniczymy w \xc4\x87wiczeniach, wyk\xc5\x82adach, ustawieniach (520 characters omitted)' ) [file "/etc/nginx/modsecurity/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "528"] [id "941310"] [rev ""] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \xbcyw\xc4\x85 map\xc4\x99 problemu wraz z reprezentantami, dzi\xc4\x99ki czemu zyskujemy g\xc5\x82\xc4\x99bszy obraz twojego tematu, kt\xc3\xb3ry cz\xc4\x99sto prowadzi do rozwi\xc4\x85zania i jasno\xc5\x9bci.\x0a\x0aczas trwania 8 godzin.\x0a\x0adat\xc4\x99 i (669 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.5"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname " SERVER_IP"] [uri "/wp-admin/admin-ajax.php"] [unique_id "169589244837.755644"] [ref "o148,323v1719,485t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.5"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname " SERVER_IP"] [uri "/wp-admin/admin-ajax.php"] [unique_id "169589244837.755644"] [ref ""]

  • CRS version (e.g., v3.3.4): 3.3.5
  • Paranoia level setting (e.g. PL1) : 2
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Nginx
  • Operating System and version: FreeBSD

Munrok avatar Oct 10 '23 21:10 Munrok

@Munrok Thanks for reporting this. Unfortunately, we do not support Woocommerce or any other WordPress plugin. For plain WordPress, you can use WordPress Rule Exclusions Plugin.

Anyway, this exclusion rule will probably help you:

SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
    "id:9990126,\
    phase:2,\
    pass,\
    t:none,\
    nolog,\
    chain"
    SecRule ARGS:action "@streq heartbeat" \
        "t:none,\
        chain"
        SecRule &ARGS:action "@eq 1" \
            "t:none,\
            ctl:ruleRemoveTargetByTag=attack-xss;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=921110;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=932110;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=932105;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=932115;ARGS:data[wp_autosave][excerpt],\
            ctl:ruleRemoveTargetById=933210;ARGS:data[wp_autosave][excerpt]"

azurit avatar Oct 11 '23 06:10 azurit

Fixed with https://github.com/coreruleset/wordpress-rule-exclusions-plugin/pull/43.

azurit avatar Apr 30 '24 13:04 azurit