Maltfield Log/2021 Q2

From Open Source Ecology
Jump to: navigation, search

My work log from the year 2021 Quarter 2. I intentionally made this verbose to make future admin's work easier when troubleshooting. The more keywords, error messages, etc that are listed in this log, the more helpful it will be for the future OSE Sysadmin.

See Also

  1. Maltfield_Log
  2. User:Maltfield
  3. Special:Contributions/Maltfield

Sun May 30, 2021

  1. Marcin had issues with 403 SQLi false-positives from modsecurity on phplist with the following text
Hello Friends,

We are having great success with the recently announced OSE Apprenticeship, with 10 people from 6 countries signed up already. So please pass this on to your friends - this is an authentic opportunity to continue working with OSE - with the promise of the Seed Eco-Home as a solid revenue stream as we continue to work on solving pressing world issues. It's

Looks like we have a few workshops coming up in September. Read the description to appreciate an unprecedented flurry of immersion experience where you truly will have the opportunity to learn more practical skills than you would in a lifetime. 3 months of immersion, some impressive builds, and building the OSE facility in Missouri for people to participate year round. Sign up and find more info at https://bit.ly/3wHGWdx. Early-bird registration is extended a few days to 23:59 CST on Thursday, June 3, 2021. True Fans discounts and multiple day discounts are available, and we can also do work exchange for people who can come early and help with prep. 
  1. Looks like it didn't like the word "having"
--e75ed325-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:merge.*?using\\s*?\\()|(execute\\s*?immediate\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:\\W+\\d*?\\s*?having\\s*?[^\\s\\-])|(?:match\\s*?[\\w(),+-]+\\s*?against\\s*?\\())" at ARGS:message. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "221"] [id "981256"] [msg "Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections"] [data "Matched Data:  having g found within ARGS:message: <p>Hello Friends,<br />\x0d\x0a<br />\x0d\x0aWe are having great success with the recently announced OSE Apprenticeship, with 10 people from 6 countries signed up already. So please pass this on to your friends - this is an authentic opportunity to continue working with OSE - with the promise of the Seed Eco-Home as a solid revenue stream as we continue to work on solving pressing world issues. It's<br />\x0d\x0a<br />\x0d\x0aLooks like we have a few..."] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATT
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:merge.*?using\\\\\\\\s*?\\\\\\\\()|(execute\\\\\\\\s*?immediate\\\\\\\\s*?[\\\\"'`\\\\xc2\\\\xb4\\\\xe2\\\\x80\\\\x99\\\\xe2\\\\x80\\\\x98])|(?:\\\\\\\\W+\\\\\\\\d*?\\\\\\\\s*?having\\\\\\\\s*?[^\\\\\\\\s\\\\\\\\-])|(?:match\\\\\\\\s*?[\\\\\\\\w(),+-]+\\\\\\\\s*?against\\\\\\\\s*?\\\\\\\\())" at ARGS:message. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "221"] [id "981256"] [msg "Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections"] [data "Matched Data:  having g found within ARGS:message: <p>Hello Friends,<br />\\\\x0d\\\\x0a<br />\\\\x0d\\\\x0aWe are having great success with the recently announced OSE Apprenticeship, with 10 people from 6 countries signed up already. So please pass this on to your friends - this is an authentic opportunity to continue working with OSE - with the promise of the Seed Eco-Home as a solid revenue stream as we continue to work on solving pressing world issues. It's<br />\\\\x0d\\\\x0a<br />\\\\x0d\\\\x0aLooks like we have a few..."] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATT [hostname "phplist.opensourceecology.org"] [uri "/lists/admin/"] [unique_id "YLPo6vBKD8a60FeFTJy0aQAAAAg"]
Action: Intercepted (phase 2)
Stopwatch: 1622403306584738 8711 (- - -)
Stopwatch2: 1622403306584738 8711; combined=3612, p1=122, p2=3466, p3=0, p4=0, p5=23, sr=27, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"
  1. I disabled id = '981256'
[root@opensourceecology conf.d]# grep SecRuleRemoveById -C2 /etc/httpd/conf.d/00-phplist.opensourceecology.org.conf
        <IfModule security2_module>
                SecRuleEngine On
                SecRuleRemoveById 970901 950001 950120 950901 981173 981317 973300 960020 960024 950911 981231 981248 981245 981256 973338 973304 973306 973333 973344 981257 981240 981246 981243 973336 958057 958006 958008 958049 958051 958056 958011 958030 958039 959072 959073 959151 973301 973302 973308 973314 973331 973315 973330 973327 973322 973348 973321 973335 973334 973332 973347 973316 200004 981172 960915 200003
        </IfModule>
</Location>
[root@opensourceecology conf.d]#
[root@opensourceecology conf.d]# httpd -t
Syntax OK
[root@opensourceecology conf.d]# systemctl reload httpd
[root@opensourceecology conf.d]#