Question 63602 in PhpMyAdmin Question posted in
The official documentation can be found here.

OWAS core rules break phpMyAdmin, ModSecurity ignores exception rule

Unsurprisingly, the OWAS coreset rules 3.3.2 break phpMyAdmin.

(Is there anything OWAS doesn’t break?)

Among other things, they block importing SQL files into the database.

To circumvent this, I have written an exception rule (in fact, tried many variants of it) and placed it into REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Even the most extreme variant, shutting the engine off for the subdmain in which phpmyadmin is installed, doesn’t seem to work:

 SecRule SERVER_NAME "<hostname>" 
 "id:10000008,
 phase:2,
 pass,
 nolog,
 ctl:ruleEngine=off"

After restarting apache several times, and ever rebooting the whole system, I still get the same audit error:

Message: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/modsecurity/modsecurity.conf"] [line "86"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client <ipnumber>] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/modsecurity/modsecurity.conf"] [line "86"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "<hostname>"] [uri "/index.php"] [unique_id "<idcode>"]

yes, I did try a more clever exception rule, targeting only rule id 200004, but to no avail:

SecRule REQUEST_URI "@beginsWith /index.php" 
 "id:10000008,
 phase:2,
 pass,
 nolog,
 ctl:ruleRemoveById=200004"

I have other exception rules set, that shut the engine off for a target hostname, or target rules ids, and they seem to work.

Why is this not working for phpmyadmin, or for this particular subdomain?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    For anybody interested, here's how I solved this: in the crs-setup.conf you can find the list of file extensions that ModSecurity will block.

    Among them, .sql, which renders impossible import/export operation within phpmyadmin. After removing it, I could finally use phpmyadmin normally:

    SecAction 
 "id:900240,
  phase:1,
  nolog,
  pass,
  t:none,
  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"

  2. 0

    OWASP CRS Dev-On-Duty here. Sorry for the inconvenience you are having with this ModSecurity rule. To be clear, it’s not an OWASP Core Rule Set rule! Rule 200004 belongs to a very limited set of ModSecurity "recommended rules" that can be found here: https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended#L143

    I think your second tuning rule with id 10000008 doesn’t work because you probably include that tuning rule after inserting the recommended rule.
    Please try again by adding your tuning rule before loading the recommended rules.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search