ModSec Issue - Login with Google trigger 403

Ariful · January 29, 2024, 4:57am

*Server Setup: Latest Cyberpanel+Openlitespeed+ModSec (OWASP Core Rule Set activate from cyberpanel).

*Problem: Login with Google trigger 403.

To fix the issue I add this code with Default CP ModSec Rules(as the photo):
<locationmatch “/my-account/google/oauth2callback*”>
SecRuleRemoveById 949110

But No Luck!!

Here is the error log:

2024-01-29 12:32:20.537518 [INFO] [4300] [172.68.242.101:11658-12#sorboprothomalo.com] [Module:mod_security]Intervention status code triggered: 403
2024-01-29 12:32:20.537568 [INFO] [4300] [172.68.242.101:11658-12#sorboprothomalo.com] [Module:mod_security]Log Message: [client 172.68.242.101] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5’ against variable TX:ANOMALY_SCORE' (Value: 5’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “80”] [id “949110”] [rev “”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [data “”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] [hostname “sorboprothomalo.com”] [uri “/my-account/google/oauth2callback”] [unique_id “170650274014.446625”] [ref “”]

*** Is there any good soul to help me ?

usmannasir · January 29, 2024, 7:20am

github.com/usmannasir/cyberpanel

Cannot access 403 Forbiden MODSECURITY RULES

opened 08:24PM - 13 Jan 24 UTC

closed 07:43AM - 15 Jan 24 UTC

eakteam

If we activate OWASP ModSecurity Core Rules some menus on cyberpanel like: Websi…te->List->Manage, Access Logs, File Manager and more cannot be accessed with 403 Forbiden. This is the error shows at Logs->Error Logs ``` 2024-01-13 21:31:21.644932 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security] ModSecurity: Warning. Matched "Operator `Within' with parameter `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (150 characters omitted)' against variable `TX:EXTENSION' (Value: `.com/' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1015"] [id "920440"] [rev ""] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "cp.eakteam.com"] [uri "/websites/eakteam.com"] [unique_id "170518148174.130653"] [ref "o7,4o8,3v14,11o71,5t:urlDecodeUni,t:lowercase"] 2024-01-13 21:31:21.654301 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security]Intervention status code triggered: 403 2024-01-13 21:31:21.654340 [INFO] [41359] [109.234.233.130:28677-Q:71253EC7BC775419-56#cp.eakteam.com] [Module:mod_security]Log Message: [client 109.234.233.130] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cp.eakteam.com"] [uri "/websites/eakteam.com"] [unique_id "170518148174.130653"] [ref ""] ``` It's the rule number 18 -> `REQUEST-949-BLOCKING-EVALUATION` which is causing the 403 Forbiden

Is thie the case with you ?

Ariful · January 29, 2024, 10:27am

Hello sir, thanks for your response.

My problem is different from what you mentioned. I don’t access CyberPanel from any proxy and my CyberPanel Dashboard, Menus, Options and everything else are OK.

(I am using OWASP Core Rule Set activate from cyberpanel )

**** My problem is that I don’t know how to disable some specific ModSec Rule IDS. CyberPanel has option to disable specific RULE GROUP (such as 900, 901, 905 etc). But it is very dangerous from Security point of view !!**

**** Sir you know that, every server host many domains. Even some host hundreds. That’s why disabling one RULE Group is Dangerous and is not practical for Security Reasons.**

**** The practical solution for “MODSEC TRIGGER 403 ISSUE” is to DISABLE SPECIFIC RULE IDS (such as 950109, 950901, 958291) just for SPECIFIC DOMAIN.**

**** my question is that, How to DISABLE SPECIFIC RULE IDS just for SPECIFIC DOMAIN. I know that, It can be done by adding code on :8090/firewall/modSecRules. But I don’t know the code for CyberPanel. Please HELP…

usmannasir · January 29, 2024, 11:19am

OK. I understand the problem now.

Open a ticket here: https://platform.cyberpersons.com/

Provide the site where google login is having issues, also provider access to CyberPanel.

I will have to see how we can get around this problem.

Ariful · January 29, 2024, 2:55pm

Hello Sir, as per your instruction, I create a ticket on https://platform.cyberpersons.com/.

Please Investigate.

usmannasir · January 29, 2024, 4:01pm

ticket id ?

Ariful · January 29, 2024, 4:45pm

Ticket #ENSOKJPZQ

usmannasir · January 30, 2024, 4:50am

ok let me check

usmannasir · January 30, 2024, 4:56am

I added this and it seems to go through

SecRuleRemoveById 930120
SecRuleRemoveById 949110

Ariful · January 30, 2024, 6:11am

Hello Sir, many many thanks to you.

Issue Solved.