Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.
This repository was archived by the owner on May 14, 2020. It is now read-only.

WordPress JetPack False Positive #1737

Open
Open
WordPress JetPack False Positive#1737
Assignees
lifeforms
Labels
False Positive
@manuelroccon

Description

@manuelroccon
manuelroccon
opened on Apr 11, 2020

Type of Issue

False positive

Description

Issue with Wordpress JetPack plugin

Audit Logs / Triggered Rule Numbers

--a8dd7334-A--
[11/Apr/2020:15:19:23 +0300] XpG1y2B9vAtGdcg7i3j4AAAAEE 192.0.101.214 1088 123.123.123.123 443
--a8dd7334-B--
POST /?for=jetpack&jetpack=comms&token=&timestamp=&nonce=&body-hash=&signature=%3D HTTP/1.1
Host: www.domain.com
User-Agent: Jetpack by WordPress.com
Accept: /
Accept-Encoding: deflate, gzip
Referer: https://www.domain.com/?for=jetpack&jetpack=comms&token=&timestamp=&nonce=&body-hash=
Authorization: X_JETPACK token="" timestamp="" nonce="" body-hash="=" signature="="
Connection: close
Content-Length: 114
Content-Type: application/x-www-form-urlencoded

--a8dd7334-C--

jetpack.testConnection --a8dd7334-F-- HTTP/1.1 403 Forbidden X-Powered-By: PHP/7.3.16 Cache-Control: no-cache Content-Encoding: gzip Vary: User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8

--a8dd7334-H--
Message: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. detected XSS using libinjection. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "60"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS_NAMES:<?xml version: <?xml version"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.domain.com"] [uri "/"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 192.0.101.214] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "www.domain.com"] [uri "/index.php"] [unique_id "XpG1y2B9vAtGdcg7i3Yj4AAAAEE"]
Action: Intercepted (phase 2)
Apache-Handler: proxy:fcgi://php-fpm
Stopwatch: 1586607563182272 11167 (- - -)
Stopwatch2: 1586607563182272 11167; combined=3345, p1=553, p2=2622, p3=0, p4=0, p5=170, sr=70, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Engine-Mode: "ENABLED"

--a8dd7334-Z--

Your Environment

  • CRS version (e.g., v3.2.0):
  • Paranoia level setting:
  • ModSecurity version (e.g., 2.9.3):
  • Web Server and version (e.g., apache 2.4.41):
  • Operating System and version:

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Metadata

Metadata

Assignees

Labels

False Positive

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions