Resolved ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/"

[loman]

Server operating system version

Ubuntu 20.04.6

Plesk version and microupdate number

18.0.64

Hello,
I have a mediawiki with the PageForms extension. When I try to create a new page using a form, everything crashes. In the logs I get this error:

[client 2.47.215.233] ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/" against "REQUEST_URI" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/22_SQL_SQLi.conf"] [line "17"] [id "211540"] [rev "14"] [msg "COMODO WAF: Blind SQL Injection Attack||libmovitprin.it|F|2"] [data "Matched Data: substr found within REQUEST_URI: /mw/api.php?action=pfautocomplete&format=json&substr=Wri&category=Autori"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "libmovitprin.it"] [uri "/mw/api.php"] [unique_id "ZwfdqvNPymb-rVFKT-2y-gAAAA4"], referer: https://libmovitprin.it/mw/index.php?title=Form:Autore

I am not an advanced user, but it looks like something connected to yoast and wordpress, nothing I installed or use on my server.
Does anyone have any idea how to solve the issue? Turning of the comodo rule does not look safe (but I haven't tried, yet).
Thanks

 

[loman]

I forgot to add I have the Plesk Web Application Firewall active (on) with Comodo (free) running on Apache (ModSecurity 2.9).

 

[Maarten]

Hi,

Welcome to the Plesk Forum,

It seems that ModSecurity is mistakenly flagging a legitimate request from your MediaWiki's PageForms extension as an SQL injection attempt. The rule ID 211540 is likely causing the issue.

You can disable this specific rule for your MediaWiki in Plesk by following the steps in this article:
https://support.plesk.com/hc/en-us/...plication-Firewall-ModSecurity-rules-in-Plesk.

Before you disable it, ensure that the error occurs when you're performing actions in MediaWiki and that it's your IP address triggering the rule. If it's someone else's IP or a different action, it might be safer to investigate further before disabling the rule.

 

[loman]

Thanks Maarten!
Yes, it's my IP address that is triggering the rule. If I disable the rule, am I going to be more vulnerable to SQL injection attempt attacks?

 

[Maarten]

It's good to know that it's your IP triggering the rule. I'm not familiar with the PageForms extension. Does that rule get triggered when you do something on the Admin page of WordPress, or in other words when you're logged in as an admin?

What you can do is set ModSecurity to Detection only mode for a few days and monitor the log files for any warnings. If it’s consistently your IP address causing the rule to trigger, it should be safe to disable it.

The link in my first post explains how to set ModSecurity to Detection only.

 

[loman]

Thanks for the suggestions Maarten. Well the odd thing is that I didn't install wordpress on my website (just mediawiki), this why I couldn't understand the error at the first time. Why yoast is causing the error if I am not using wordpress? Is there something I am missing?

 

[Sebahat.hadzhi]

Even though you are running MediaWiki with the PageForms, not WordPress, the rule is being triggered because ModSecurity's pattern-matching has associated your API endpoint (/mw/api.php) with a potential SQL injection attack. Since you mentioned it is your own IP address, I would conclude this as a false-positive.

 

[loman]

Thanks for the help! This could be marked as resolved.