Adding support for PMA 5.1 and up

[azurit]

Changes in this PR:

• configurable support for old and new URL format
• removed check for PMA cookies existance as it's no longer needed (plugin should be activated only on vhosts where PMA is running, not globally)
• renumbering IDs (as a consequnce of changes above)

[azurit]

Any reviewers / testers?

[williamdes]

No rules for the other endpoints: url.php and the setup/ folder ?

[azurit]

@williamdes Currently no, have you encountered any problems with that endpoints while using CRS? False positives or so.

[WaleedMortaja]

Any reviewers / testers?

I have not heavy-tested it, however, the basic usage of PMA does not give false positives anymore.
Thank you!

[azurit]

@WaleedMortaja Thank you very much! Which version of PMA are you using?

[WaleedMortaja]

@azurit PMA 5.2.0

[WaleedMortaja]

@azurit I was testing some configs and decided to try PMA setup feature. I found some false positives on the setup "export" page with URL /setup/index.php?page=form&formset=Export. The same for "import" and "Main Panel" pages.
Just clicking the "Apply" button in these pages gives the false positive.

[azurit]

@WaleedMortaja Can you, please, upload logs from ModSecurity?

[azurit]

@WaleedMortaja Can you try current version? Thank you.

[azurit]

@williamdes As you wished, now we have few rules also for /setup/ folder. :)

[azurit]

Old URL format can be considered as tested.

[WaleedMortaja]

I am not an expert, but curious about why are we removing XSS rules from a SQL query parameter? Did XSS cause any problems already?

[azurit]

sql_query parameter holds the whole SQL command, including the data which can contain anything, for example HTML code (which is triggering XSS rules).

[WaleedMortaja]

Got it. Thanks!

[WaleedMortaja]

@WaleedMortaja Can you try current version? Thank you.

@azurit It still has false postivies. I tried the setup's "export" page only, and got this log.
Note: some of the log is truncated or replaced with placeholders indicated by ##
Please inform me if there is a better way to provide the log.
For now, here is the log for "export":

--##PLACEHOLDER##-C--
##truncated##&Export-csv_separator=%2C&Export-csv_separator-userprefs-allow=on&Export-csv_enclosed=%22&Export-csv_enclosed-userprefs-allow=on&Export-csv_escaped=%22&Export-csv_escaped-userprefs-allow=on&Export-csv_terminated=AUTO&Export-csv_terminated-userprefs-allow=on&Export-csv_null=NULL&Export-csv_null-userprefs-allow=on&Export-csv_removeCRLF-userprefs-allow=on&Export-csv_columns-userprefs-allow=on&##truncated##
--##PLACEHOLDER##-F--
HTTP/1.1 403 Forbidden
Content-Length: 199
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--##PLACEHOLDER##-E--

--##PLACEHOLDER##-H--
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_separator. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_separator: export-csv_separator"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_separator-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_separator-userprefs-allow: export-csv_separator-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_enclosed. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_enclosed: export-csv_enclosed"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_enclosed-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_enclosed-userprefs-allow: export-csv_enclosed-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_escaped. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_escaped: export-csv_escaped"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_escaped-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_escaped-userprefs-allow: export-csv_escaped-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_terminated. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_terminated: export-csv_terminated"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_terminated-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_terminated-userprefs-allow: export-csv_terminated-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_null. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_null: export-csv_null"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_null-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_null-userprefs-allow: export-csv_null-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_removeCRLF-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_removeCRLF-userprefs-allow: export-csv_removecrlf-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_columns-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_columns-userprefs-allow: export-csv_columns-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 63)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_separator. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_separator: export-csv_separator"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_separator-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_separator-userprefs-allow: export-csv_separator-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_enclosed. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_enclosed: export-csv_enclosed"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_enclosed-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_enclosed-userprefs-allow: export-csv_enclosed-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_escaped. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_escaped: export-csv_escaped"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_escaped-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_escaped-userprefs-allow: export-csv_escaped-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_terminated. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_terminated: export-csv_terminated"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_terminated-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_terminated-userprefs-allow: export-csv_terminated-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_null. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_null: export-csv_null"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_null-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_null-userprefs-allow: export-csv_null-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_removeCRLF-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_removeCRLF-userprefs-allow: export-csv_removecrlf-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client ##SRC_IP_PALACEHOLDER##] ModSecurity: Warning. Matched phrase "Export-CSV" at ARGS_NAMES:Export-csv_columns-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Export-CSV found within ARGS_NAMES:Export-csv_columns-userprefs-allow: export-csv_columns-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "##SERVER_IP_PALACEHOLDER##"] [uri "/##PMA_LOCATION_PLACEHOLDER##/setup/index.php"] [unique_id "##UNIQUE_ID_PALCEHOLDER##"]

[azurit]

@WaleedMortaja Thanks! Can you try it with current version?

[WaleedMortaja]

@azurit the setup/export is working now!
The other pages still has problems.

Here is the log for setup/import (URL: /setup/index.php?page=form&formset=Import)

Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_replace-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_replace-userprefs-allow: import-csv_replace-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_ignore-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_ignore-userprefs-allow: import-csv_ignore-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_terminated. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_terminated: import-csv_terminated"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_terminated-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_terminated-userprefs-allow: import-csv_terminated-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_enclosed. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_enclosed: import-csv_enclosed"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_enclosed-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_enclosed-userprefs-allow: import-csv_enclosed-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_escaped. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_escaped: import-csv_escaped"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_escaped-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_escaped-userprefs-allow: import-csv_escaped-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
Message: Warning. Matched phrase "Import-CSV" at ARGS_NAMES:Import-csv_col_names-userprefs-allow. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "329"] [id "932120"] [msg "Remote Command Execution: Windows PowerShell Command Found"] [data "Matched Data: Import-CSV found within ARGS_NAMES:Import-csv_col_names-userprefs-allow: import-csv_col_names-userprefs-allow"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "language-powershell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]

Here is the log for setup/Main Panel (URL: /setup/index.php?page=form&formset=Main)

Message: Warning. Matched phrase "dev/null" at ARGS:DefaultTransformations-External. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "500"] [id "932160"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: dev/null found within ARGS:DefaultTransformations-External: 0 -f/dev/null -i -wrap -q 1 1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]

[azurit]

@WaleedMortaja Thanks, try now!

[WaleedMortaja]

@azurit All the setup pages are working now.
I am not aware of any more FP currently.

Thank you for your efforts 😄

[azurit]

@WaleedMortaja Thank you very much for testing!

[williamdes]

Can you limit the URLs that can be called to only the endpoints that 5.1 has?
https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_1/index.php
https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_1/url.php
https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_1/show_config_errors.php
https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_1/js/messages.php
PHP files in https://github.com/phpmyadmin/phpmyadmin/tree/QA_5_1/setup

See my nginx regex https://github.com/sudo-bot/gh-deployer-container/blob/04b50cde53ac13f71c444b09dd31dcecaca3eee2/docker/nginx-default.conf#L29

location ~ ^(?!(\/favicon\.ico|\/robots\.txt|\/index\.php|\/url\.php|\/show_config_errors\.php|\/js\/messages\.php|\/js\/dist|\/js\/vendor|\/doc\/html|\/setup|\/themes|\/)) {
        deny all;
    }

[azurit]

@williamdes Not sure about this. What exactly do you expect from it?

[williamdes]

it limits the urls that can be visited adding more security by 403 everything else

[azurit]

@dune73 What do you think about this? Should it be part of CRS RE plugin? For me, it sounds like it's out of scope.

[dune73]

Creating an allow-list is a useful security measure, but it's out of scope for a rule exclusion plugin.

If you guys think there is wider interest for such a configuration, I suggest to create a separate allow-list plugin.

[williamdes]

Does this assume there is only one server on the configuration?

[azurit]

Probably. Can you show how cookies looks like for multiple server setup?

[williamdes]

1 is the server ID, any unsigned integer should be allowed
You can view cookies for a multi server setup on our demo server 5.2.x-dev

[azurit]

Does this apply for both pmaAuth-X and pmaUser-X?

[williamdes]

Yes :)

[azurit]

Fixed.

[azurit]

@williamdes pls what's difference between routes /database/export and /export?

[williamdes]

@williamdes pls what's difference between routes /database/export and /export?

https://github.com/phpmyadmin/phpmyadmin/blob/f6a03d405d5c4d4ad6e356ed654917a79418207c/libraries/routes.php#L63

https://github.com/phpmyadmin/phpmyadmin/blob/f6a03d405d5c4d4ad6e356ed654917a79418207c/libraries/routes.php#L216

It seems that one is more for tables and the other for databases
I am not sure there is much different code between them
Do you need some deeper information on those routes?

[azurit]

It seems that one is more for tables and the other for databases

For tables, there seems to be a /table/export route.

Do you need some deeper information on those routes?

No, i just need to know if i should:

• add this route for database export rule
• add this route for table export rule
• create completely new rule

It's more or less a philosophical question. :)

[williamdes]

It seems that one is more for tables and the other for databases

For tables, there seems to be a /table/export route.

Do you need some deeper information on those routes?

No, i just need to know if i should:

* add this route for database export rule

* add this route for table export rule

* create completely new rule

It's more or less a philosophical question. :)

@MauricioFauth you created the controllers, maybe you could better answer this question?

But I would say that since it is not prefixed it could be used in different ways, so maybe a new rule?

[MauricioFauth]

@williamdes pls what's difference between routes /database/export and /export?

Initially the routes were a direct map with the files. For example:

• server_export.php => /server/export
• db_export.php => /database/export
• tbl_export.php => /table/export
• export.php => /export

Now, more routes are been added as we are extracting then from the controllers. As a lot of routes are doing too much.

Basically, /server/export, /database/export and /table/export only renders the related export page, and the /export route is the one doing the actual export.

[azurit]

@MauricioFauth Thanks, that helped a lot!

@MauricioFauth @williamdes What about this? What action it was?

POST /index.php?route=/

=== POST ARGUMENTS ===
ajax_request: true
server: 3
db: information_schema
guid: <censored>
access_time: 414
check_timeout: 1
_nocache: <censored>
token: <censored>

[williamdes]

@MauricioFauth Thanks, that helped a lot!

@MauricioFauth @williamdes What about this? What action it was?

POST /index.php?route=/

=== POST ARGUMENTS ===
ajax_request: true
server: 3
db: information_schema
guid: <censored>
access_time: 414
check_timeout: 1
_nocache: <censored>
token: <censored>

I guess it's the ping pong to check if the session expired?

[williamdes]

Hi @azurit
We started development of 6.0 instead of 5.3. One breaking change is that we will have everything from 5.2 rules in a public directory

[azurit]

@williamdes Thanks for the info!

To all: New URL format can be considered as tested.

[fzipi]

Just in case, please use Squash and merge here.

[fzipi]

@azurit To the best of my knowledge, I think I've fixed the conflict. Let me know if this is ready before merging.

[azurit]

@fzipi Thank you! Should be ready to merge.