Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-17296

mod_security false positive denies access to ACP

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.3.12-RC1
    • None
    • Authentication
    • None

      There has been bunch of topics in the support forum related to this issue. It appears it's a rule set provided by Imunify360.  I recall seeing similar topic in the support forum a year or two ago but I think that was OWASP rule set. The error log entry relative to this was posted here:

      https://www.phpbb.com/community/viewtopic.php?p=16001707#p16001707

      [Mon Mar 04 14:19:50.044831 2024] [security2:error] [pid 12796:tid 47477742208768] [client 74.81.95.50:35422] [client 74.81.95.50] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "/index.php" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/001_i360_basic.conf"] [line "8"] [id "77350314"] [msg "IM360 WAF: Path traversal attack||User:jsofzone||Path:/adm/index.php||Arg:ARGS:redirect||Match:../adm/index.php?sid=6ca476c56b10f276981ef14fabb984a2||T:APACHE||"] [severity "CRITICAL"] [tag "service_im360"] [hostname "www.example.org"] [uri "/adm/index.php"] [unique_id "ZeYe1nrqthuUh2uffMcgEAAAAQ0"], referer: https://www.example.org/adm/index.php?sid=6ca476c56b10f276981ef14fabb984a2 

      There is a hidden input value for login screen using ./../adm/index.php and since it's posted by the user I'm guessing that is the what is triggering the false positive. I don't have Imunify360 which is paid product so I can't test it. I'm also guessing other redirects are not triggering this because they aren't moving out of the working directory.

       

       

            Marc Marc
            thecoalman thecoalman
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: