nextcloud
App blocked by OWASP Modsecurity Standard Rules
Steps to reproduce
I'm currently unable to use the app, as the chat overview will load, but once you choose an actual conversation, I can't see any messages. Turns out that the app is blocked by the OWASP Modsecurity Core Rules (https://github.com/coreruleset/coreruleset).
"message": "Remote Command Execution: Direct Unix Command Execution",
"details": {
"match": "Matched \"Operator `Rx' with parameter `(?i)(?:^|b[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)? (4180 characters omitted)' against variable `ARGS_NAMES:lastCommonReadId' (Value: `lastCommonReadId' )",
"reference": "o0,8v49,16",
"ruleId": "932260",
"file": "/etc/modsecurity.d/REQUEST-932-APPLICATION-ATTACK-RCE.conf",
"lineNumber": "519",
"data": "Matched Data: lastComm found within ARGS_NAMES:lastCommonReadId: lastCommonReadId",
"severity": "2",
"ver": "OWASP_CRS/4.10.0",
"rev": "",
"tags": [
"application-multi",
"language-shell",
"platform-unix",
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/152/248/88",
"PCI/6.5.2"
],
"maturity": "0",
"accuracy": "0"
}
}
Expected behaviour
Not sure if this is a bug, but it will surely affect others, and maybe changes can be made so it doesn't trigger those rules.
Actual behaviour
In the web browser, everything works just fine, so it's surely possible to access Nextcloud Talk so it doesn't sound all alarms. If you feel the app is just exactly what it should be doing, then kindly move it to feature requests.
Device brand and model
Irrelevant
Android version
11
Nextcloud Talk app version
Newest from Google Play
Nextcloud server version
No response
Talk version
No response
Custom Signaling server configured
None
Custom TURN server configured
None
Custom STUN server configured
None
Android logs
No response
Server log
Additional information
No response
So as it seems the regex is triggered for the string "lastCommonReadId" i don't think there is anything we can do. The variable name won't be changed. The only chance may be URL-Encoding or Base64-Encoding if the server would understand this, so asking @nickvergessen if this would be possible.
I'm pretty sure this is not accurate. The problem seems to be with "Direct Unix Command Execution", as stated in the first line. The third line has a match for the operator "Rx", which is probably just that.
As explained, I wouldn't bother you with this if the web implementation would be tripping the wires as well, but since that works without issues, this is surely not about anything that is hard-wired in the main application.
I guess you can curl against your status.php but status.php?lastCommonReadId=1 fails?
Matched Data: lastComm found within ARGS_NAMES:lastCommonReadId: lastCommonReadId
This already indicates that the rule is way too aggressive. The parameter is not lastComm but it's still blocking it.
As explained, I wouldn't bother you with this if the web implementation would be tripping the wires as well, but since that works without issues, this is surely not about anything that is hard-wired in the main application.
Not all clients behave the same, especially mobile clients and web are different, as e.g. mobile clients don't open a websocket to the signaling server when they only chat, so they have to transmit and request more information with their other requests. This is mostly done to save bandwidth and reduce the number of requests
Thanks for the clarificaton. Am I getting this right that the ruleset is looking for the lastComm string, found it in the variable name and thinks it's a Unix command?