Modscan Error · CyberPanel Community

DC

Daniel Collins Apr 22, 2024 #1

Hi All

Cyberpanel Current Version: 2.3
Nextcloud V28
Vultr Oneclick install on Ubuntu 20 LTS

i recently install Nextcloud on a sub domain and everything has worked out well apart from one issue i cant upload files from a web browser, (the desktop client has no issues),

i have traced the issue down to MODSCAN but i know nothing about modscan can anyone assist if possible, if i turn modscan off it works no issues turn it back on same issue

This is the error in the nextcloud Log

BadRequest
Expected filesize of 10413 bytes but read (from Nextcloud client) and wrote (to Nextcloud storage) 1015 bytes. Could either be a network problem on the sending side or a problem writing to the storage on the server side.

This is the error log from cyberpanel (i cleared the log and attempted to upload file and this is the error)

2024-04-23 09:16:53.753367 [INFO] [3002] [59.100.243.150:64365-Q:0A38756CF062EA09-372#cloud.ecmind.com.au] [Module:mod_security] ModSecurity: Warning. Matched "Operator Within' with parameter |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| (134 characters omitted)’ against variable TX:content_type' (Value: |application/pdf|’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “937”] [id “920420”] [rev “”] [msg “Request content type is not allowed by policy”] [data “|application/pdf|”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/255/153”] [tag “PCI/12.1”] [hostname “cloud.ecmind.com.au”] [uri “/remote.php/dav/files/admin/transaction_report-1.pdf”] [unique_id “171382781394.789785”] [ref “o0,15v207,15t:lowercase”]
2024-04-23 09:16:53.755854 [INFO] [3002] [59.100.243.150:64365-Q:0A38756CF062EA09-372#cloud.ecmind.com.au] [Module:mod_security]Intervention status code triggered: 403
2024-04-23 09:16:53.755867 [INFO] [3002] [59.100.243.150:64365-Q:0A38756CF062EA09-372#cloud.ecmind.com.au] [Module:mod_security]Log Message: [client 59.100.243.150] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5’ against variable TX:ANOMALY_SCORE' (Value: 5’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “cloud.ecmind.com.au”] [uri “/remote.php/dav/files/admin/transaction_report-1.pdf”] [unique_id “171382781394.789785”] [ref “”]

thank you for your assistance

DC

Daniel Collins Apr 22, 2024 #2

So i found some rules that have worked but do i need to do this for every file type

SecRule REQUEST_HEADERS:Content-Type “@rx image/jpeg”
“id:10004,
phase:1,
allow”
SecRule REQUEST_HEADERS:Content-Type “@rx application/pdf”
“id:10002,
phase:1,
allow”
SecRule REQUEST_HEADERS:Content-Type “@rx application/vnd.ms-excel”
“id:10007,
phase:1,
allow”
SecRule REQUEST_HEADERS:Content-Type “@rx image/png”
“id:10009,
phase:1,
allow”
SecRule REQUEST_HEADERS:Content-Type “@rx application/vnd.openxmlformats-officedocument.wordprocessingml.document”
“id:10013,
phase:1,
allow”

RM

Rana Muhammad Usman Nasir Apr 23, 2024 #3

DanielCollins:

This is the error log from cyberpanel (i cleared the log and attempted to upload file and this is the error)

2024-04-23 09:16:53.753367 [INFO] [3002] [59.100.243.150:64365-Q:0A38756CF062EA09-372#cloud.ecmind.com.au] [Module:mod_security] ModSecurity: Warning. Matched "Operator Within' with parameter |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| (134 characters omitted)’ against variable TX:content_type' (Value: |application/pdf|’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “937”] [id “920420”] [rev “”] [msg “Request content type is not allowed by policy”] [data “|application/pdf|”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/255/153”] [tag “PCI/12.1”] [hostname “cloud.ecmind.com.au”] [uri “/remote.php/dav/files/admin/transaction_report-1.pdf”] [unique_id “171382781394.789785”] [ref “o0,15v207,15t:lowercase”]
2024-04-23 09:16:53.755854 [INFO] [3002] [59.100.243.150:64365-Q:0A38756CF062EA09-372#cloud.ecmind.com.au] [Module:mod_security]Intervention status code triggered: 403
2024-04-23 09:16:53.755867 [INFO] [3002] [59.100.243.150:64365-Q:0A38756CF062EA09-372#cloud.ecmind.com.au] [Module:mod_security]Log Message: [client 59.100.243.150] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5’ against variable TX:ANOMALY_SCORE' (Value: 5’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “cloud.ecmind.com.au”] [uri “/remote.php/dav/files/admin/transaction_report-1.pdf”] [unique_id “171382781394.789785”] [ref “”]

thank you for your assistance

Try this rules.

PS: I am not very good with ModSec rules

SecRule REQUEST_FILENAME "@beginsWith /remote.php/dav/files/admin/" \
    "id:1001,\
    phase:1,\
    pass,\
    nolog,\
    ctl:requestBodyAccess=On"

SecRule REQUEST_HEADERS:Content-Type "!@rx (?:multipart\/form-data)|(?:application\/x-www-form-urlencoded)" \
    "id:1002,\
    phase:1,\
    pass,\
    nolog,\
    ctl:requestBodyAccess=On"

DC

Daniel Collins Apr 23, 2024 #4

Cheers the first rule looks like it’s for the admin user if there is another user I’d have to add in another rule yeah.

Or do you I think I can drop the /admin/ and it will work with allusers because the rule is @bedinsWith

Also what the secoud rule do. That really doesn’t make sense to me lol

RM

Rana Muhammad Usman Nasir Apr 23, 2024 #5

Yes try removing admin from username.

Second rule checks the Content-Type header of the request. If it doesn’t match the regular expression (?:multipart\/form-data)|(?:application\/x-www-form-urlencoded), which are common content types for file uploads, it enables access to the request body.

DC

Daniel Collins Apr 23, 2024 #6

these rules didnt work
SecRule REQUEST_FILENAME “@beginsWith /remote.php/dav/files/admin/”
“id:1001,
phase:1,
pass,
nolog,
ctl:requestBodyAccess=On”

SecRule REQUEST_HEADERS:Content-Type “!@rx (?:multipart/form-data)|(?:application/x-www-form-urlencoded)”
“id:1002,
phase:1,
pass,
nolog,
ctl:requestBodyAccess=On”

RM

Rana Muhammad Usman Nasir Apr 23, 2024 #7

Maybe try in OpenLiteSpeed or ModSec community.

DC

Daniel Collins Apr 23, 2024 #8

Didn’t realise there was a modsec community lol. Cheers thanks for your help.

I’m running with all the rules I have set up at the moment and it seems to have no issues. I’ll just remember how to add them if another item comes up.

I’ll post somthing back here if I get an answer from elsewhere.