Join Log in
Score:0
Nishu Ali avatar Server

ModSecurity 403, COMODO WAF detects XSS while trying to access phpMyAdmin

ke flag
Nishu Ali

I have a copy of phpMyAdmin in one of my server in a subdomain 'pma' and inside a directory in it named 'app' (manual installed from zip archive, not via yum), which I use for DB related management and it was working ok for couple of months. A couple of days ago my local IP got blocked while trying to login there and after much digging following log found in /var/log/apache2/error_log (replaced my local IP and server domain with <PLACEHOLDER_TEXT> for obvious reasons)

[Fri Jan 07 11:37:54.198143 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\x22'\\\\/`]on[a-z]{1,}?\\\\/{0,}=" at REQUEST_COOKIES:pmaAuth-1. [file "/var/cpanel/cwaf/rules/07_XSS_XSS.conf"] [line "162"] [id "212760"] [rev "2"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.||www.pma.<DOMAIN_NAME>|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.pma.<DOMAIN_NAME>"] [uri "/app/themes/pmahomme/img/ajax_clock_small.gif"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
[Fri Jan 07 11:37:54.198701 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\x22'\\\\/`]on[a-z]{1,}?\\\\/{0,}=" at REQUEST_COOKIES:pmaAuth-1. [file "/var/cpanel/cwaf/rules/07_XSS_XSS.conf"] [line "162"] [id "212760"] [rev "2"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.||www.pma.<DOMAIN_NAME>|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.pma.<DOMAIN_NAME>"] [uri "/app/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"]
[Fri Jan 07 11:37:54.215776 2022] [core:error] [pid 60361] [client <IP_ADDRESS>:60532] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
[Fri Jan 07 11:37:54.235059 2022] [core:error] [pid 60364] [client <IP_ADDRESS>:60535] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
[Fri Jan 07 11:37:54.238782 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to lock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"]
[Fri Jan 07 11:37:54.238830 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to lock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
[Fri Jan 07 11:37:54.244507 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to unlock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"]
[Fri Jan 07 11:37:54.244559 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to unlock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1

While I'm ok with SSH and CLI, I'm not a core server admin, and it took me some time and help from both ISP and Hosting Provider to figure out the IP ban issue in CSF/LFD, but I'm trying to understand the actual issue so it can be avoided in future. Can anyone decipher the reason? thanks!

90
0 + 0
Score:0
Nishu Ali avatar Server
ke flag
Nishu Ali

I think I've found the solution for the issue. The 'log' file I was looking for where the details are is in following file:

/var/log/apache2/modsec_audit
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.