Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
None
-
None
Description
There has been bunch of topics in the support forum related to this issue. It appears it's a rule set provided by Imunify360. I recall seeing similar topic in the support forum a year or two ago but I think that was OWASP rule set. The error log entry relative to this was posted here:
https://www.phpbb.com/community/viewtopic.php?p=16001707#p16001707
[Mon Mar 04 14:19:50.044831 2024] [security2:error] [pid 12796:tid 47477742208768] [client 74.81.95.50:35422] [client 74.81.95.50] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "/index.php" at REQUEST_FILENAME. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/001_i360_basic.conf"] [line "8"] [id "77350314"] [msg "IM360 WAF: Path traversal attack||User:jsofzone||Path:/adm/index.php||Arg:ARGS:redirect||Match:../adm/index.php?sid=6ca476c56b10f276981ef14fabb984a2||T:APACHE||"] [severity "CRITICAL"] [tag "service_im360"] [hostname "www.example.org"] [uri "/adm/index.php"] [unique_id "ZeYe1nrqthuUh2uffMcgEAAAAQ0"], referer: https://www.example.org/adm/index.php?sid=6ca476c56b10f276981ef14fabb984a2 |
There is a hidden input value for login screen using ./../adm/index.php and since it's posted by the user I'm guessing that is the what is triggering the false positive. I don't have Imunify360 which is paid product so I can't test it. I'm also guessing other redirects are not triggering this because they aren't moving out of the working directory.