ModSec Issue - Login with Google trigger 403

Ar

Ariful Jan 29, 2024 #1

*Server Setup: Latest Cyberpanel+Openlitespeed+ModSec (OWASP Core Rule Set activate from cyberpanel).

*Problem: Login with Google trigger 403.

To fix the issue I add this code with Default CP ModSec Rules(as the photo):
<locationmatch “/my-account/google/oauth2callback*”>
SecRuleRemoveById 949110

But No Luck!!

Here is the error log:

2024-01-29 12:32:20.537518 [INFO] [4300] [172.68.242.101:11658-12#sorboprothomalo.com] [Module:mod_security]Intervention status code triggered: 403
2024-01-29 12:32:20.537568 [INFO] [4300] [172.68.242.101:11658-12#sorboprothomalo.com] [Module:mod_security]Log Message: [client 172.68.242.101] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5’ against variable TX:ANOMALY_SCORE' (Value: 5’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “sorboprothomalo.com”] [uri “/my-account/google/oauth2callback”] [unique_id “170650274014.446625”] [ref “”]

*** Is there any good soul to help me ?

RM

Rana Muhammad Usman Nasir Jan 29, 2024 #2

github.com/usmannasir/cyberpanel

Cannot access 403 Forbiden MODSECURITY RULES

opened 08:24PM - 13 Jan 24 UTC

closed 07:43AM - 15 Jan 24 UTC

eakteam

If we activate OWASP ModSecurity Core Rules some menus on cyberpanel like: Websi…te->List->Manage, Access Logs, File Manager and more cannot be accessed with 403 Forbiden. This is the error shows at Logs->Error Logs ``` 2024-01-13 21:31:21.644932 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Within' with parameter `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (150 characters omitted)' against variable `TX:EXTENSION' (Value: `.com/' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1015"] [id "920440"] [rev ""] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "cp.eakteam.com"] [uri "/websites/eakteam.com"] [unique_id "170518148174.130653"] [ref "o7,4o8,3v14,11o71,5t:urlDecodeUni,t:lowercase"] 2024-01-13 21:31:21.654301 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security]Intervention status code triggered: 403 2024-01-13 21:31:21.654340 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security]Log Message: [client 109.234.233.130] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cp.eakteam.com"] [uri "/websites/eakteam.com"] [unique_id "170518148174.130653"] [ref ""] ``` It's the rule number 18 -> `REQUEST-949-BLOCKING-EVALUATION` which is causing the 403 Forbiden

Is thie the case with you ?

Ar

Ariful Jan 29, 2024 #3

Hello sir, thanks for your response.

My problem is different from what you mentioned. I don’t access CyberPanel from any proxy and my CyberPanel Dashboard, Menus, Options and everything else are OK.

(I am using OWASP Core Rule Set activate from cyberpanel )

**** My problem is that I don’t know how to disable some specific ModSec Rule IDS. CyberPanel has option to disable specific RULE GROUP (such as 900, 901, 905 etc). But it is very dangerous from Security point of view !!**

**** Sir you know that, every server host many domains. Even some host hundreds. That’s why disabling one RULE Group is Dangerous and is not practical for Security Reasons.**

**** The practical solution for “MODSEC TRIGGER 403 ISSUE” is to DISABLE SPECIFIC RULE IDS (such as 950109, 950901, 958291) just for SPECIFIC DOMAIN.**

**** my question is that, How to DISABLE SPECIFIC RULE IDS just for SPECIFIC DOMAIN. I know that, It can be done by adding code on :8090/firewall/modSecRules. But I don’t know the code for CyberPanel. Please HELP…

RM

Rana Muhammad Usman Nasir Jan 29, 2024 #4

OK. I understand the problem now.

Open a ticket here: https://platform.cyberpersons.com/

Provide the site where google login is having issues, also provider access to CyberPanel.

I will have to see how we can get around this problem.

Ar

Ariful Jan 29, 2024 #5

Hello Sir, as per your instruction, I create a ticket on https://platform.cyberpersons.com/.

Please Investigate.

RM

Rana Muhammad Usman Nasir Jan 29, 2024 #6

ticket id ?

Ar

Ariful Jan 29, 2024 #7

Ticket #ENSOKJPZQ

RM

Rana Muhammad Usman Nasir Jan 30, 2024 #8

ok let me check

RM

Rana Muhammad Usman Nasir Jan 30, 2024 #9

I added this and it seems to go through

SecRuleRemoveById 930120
SecRuleRemoveById 949110

Ar

Ariful Jan 30, 2024 #10

Hello Sir, many many thanks to you.

Issue Solved.