NextCloud False Positive

[manuelroccon]

Type of Issue

False positive

Description

I've just configured rules. Last version of Nextcloud give me this errors.

Audit Logs / Triggered Rule Numbers

--4693d56e-A--
[11/Apr/2020:16:00:06 +0300] XpG-VqTsDq4eM7zXEJkhRwAAAEs 123.123.123.123 53284 123.123.123.123 443
--4693d56e-B--
PROPFIND /remote.php/dav/files/user/ HTTP/1.1
Host: nextcloud.domanin.it
Depth: 0
Authorization: Basic=
User-Agent: Mozilla/5.0 (Macintosh) mirall/2.6.4stable (build 20200303) (Nextcloud)
Accept: /
Content-Type: text/xml; charset=utf-8
X-Request-ID: be437f90-c473-40a7-8b98-a519a3473402
Cookie: oc_sessionPassphrase=; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc20oosppk3h=
Content-Length: 114
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*

--4693d56e-C--

<d:propfind xmlns:d="DAV:">
<d:prop>
<d:getlastmodified />
</d:prop>
</d:propfind>

--4693d56e-F--
HTTP/1.1 207 Multi-Status
X-Powered-By: PHP/7.3.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';
Vary: Brief,Prefer
DAV: 1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nc-calendar-search, nc-enable-birthday-calendar
Strict-Transport-Security: max-age=15552000; includeSubDomains
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml; charset=utf-8

--4693d56e-E--

--4693d56e-H--
Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
Message: Rule 55f46f63e438 [id "932100"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "124"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46f6510e8 [id "932105"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "162"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46f657438 [id "932110"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "261"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46f663088 [id "932115"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "302"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46f6f7288 [id "932150"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "479"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 55f46ee2e918 [id "942360"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "486"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f63e438 [id "932100"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "124"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f6510e8 [id "932105"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "162"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f657438 [id "932110"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "261"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f663088 [id "932115"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "302"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46f6f7288 [id "932150"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "479"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 55f46ee2e918 [id "942360"][file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "486"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "nextcloud.domanin.it"] [uri "/remote.php/dav/files/user/"] [unique_id "XpG-VqTsDq4eM7zXEJkhRwAAAEs"]
Apache-Handler: proxy:fcgi://php-fpm
Stopwatch: 1586610006171660 54186 (- - -)
Stopwatch2: 1586610006171660 54186; combined=3589, p1=579, p2=2581, p3=73, p4=179, p5=177, sr=76, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Engine-Mode: "DETECTION_ONLY"

--4693d56e-Z--

Your Environment

CRS version v.3.3dev:
ModSecurity version 2.9.2:
Web Server and version apache 2.4.6:
Operating System and version: CentOs 7.7.1908

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

[fzipi]

Hi @manuelroccon. Did you enable NextCloud exclusion rules in rule id:900130 in crs-setup.conf?

[fzipi]

@manuelroccon Any comments so we can figure this out?

[manuelroccon]

I use secremovebyid in apache vhost configuration. This is right method to fix this issue?

[fzipi]

Depends.

You need to first enable the exclusion rules for NextCloud. Can you please check the file crs-setup.conf, and search for 900130?

Then you need to have something like this:

SecAction \
 "id:900130,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.crs_exclusions_nextcloud=1"

That will effectively enable the exclusions we have for NextCloud. Without that, the rules to prevent this are not enabled!

[fzipi]

@manuelroccon Can you check this please? ☝️

[manuelroccon]

ok, this exclusion rules not enabled in crs-setup.conf.
But if i've more vhosts in my server with different CMS, can I put this exclusion directive only in vhost configuration that running Nextcloud?

[fzipi]

@manuelroccon You can also do this:

# It is recommended if you run multiple web applications on your site to limit
# the effects of the exclusion to only the path where the excluded webapp
# resides using a rule similar to the following example:
# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1

Give a quick look at the whole crs-setup.conf file to get a taste what you can do.

[manuelroccon]

@fzipi thank for your support,

The crs-setup.conf are default, i've not modify it of master brench.

I've read this recommendation about REQUEST_URI "@beginswith /wordpress/" in crs-setup.conf, but REQUEST_URI of vhosts not start with specific pattern.
All vhosts are separate domain. If i make this exclusion in crs-setup.conf is applied to all sites inside server.

So I think i must put this directive (SecAction "id:900130,) directly inside the apache vhost config, to apply this only specific vhost (in this case in nextcloud).

Is fine this tipe of configuration for you or there are other solutions?

[fzipi]

Hi @manuelroccon,

Hmmm.. 🤔 you will definitely need to apply this to a particular url/vhost. One technique I normally use in these cases is to use the SecWebAppId directive.

For example (you may need to modify it a bit, it is just a rough idea),

<VirtualHost Z.Z.Z.Z:44>
    SecWebAppId  my-nextcloud
...
...
</VirtualHost>

# And then:
SecRule WEBAPPID "@eq my-nextcloud" "setvar:tx.crs_exclusions_wordpress=1"

Please check the documentation for more examples.