• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue WAF does not switch off designated security rules

frg62

Basic Pleskian
Hello,

Server config :
- ‪Debian 7.11‬
- Plesk 12.5.30 Update #68
- MySQL 5.6.37-1debian7
- WAF using Atomic Basic ModSecurity, with daily updates, and Tradeoff configuration
Completely up-to-date at this time (Plesk and apt-get upgrade)

(If you need more info, just ask.)

One one of the websites, it is impossible to update a WP page,as it gives the following error:
ModSecurity: Warning. Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_582ad5afda4b6][12][field_582ad63fda4b9]" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "386"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] [hostname "www.equipespopulaires.be"] [uri "/wp-admin/admin.php"] [unique_id "WXWoXF73tHEAABlwFpEAAAAJ"]

Seeing that message, I switched off rule 340465, by inserting it in the "Security rule IDs" panel of the "Switch off security rules" section.

But that changes nothing.

The only way to modify the page, is to temporary disable the WAF, or to put it in detection mode, where it then continues to report the problem...

Anyone as any idea on what is going wrong?

Regards,
Francois
 
Hello Igor,

Thanks a lot, this is exactly my problem.
But I could only solve it, by disabling the WAF on the concerned website.

The code seems to be the source of the problem, I have warned the website owner (I have no direct contact with his developers).
 
Seeing that message, I switched off rule 340465, by inserting it in the "Security rule IDs" panel of the "Switch off security rules" section.
Did you tried to switch off rule id 340465 on the server level and not per domain in Tools & Settings>> Security >> Web Application Firewall (ModSecurity) >> Switch off security rules ?
 
It does not seem to work any better... or I did not configure it correctly.

What I did:
I created in the conf directory, a file named modsecurity_crs_10_custom.conf, and I put the following line in it:
SecRule REQUEST_FILENAME "@beginswith /svn" "id:123,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340465"

Yet no-go.

I also tried:
SecRule REQUEST_FILENAME "@beginswith /svn" "id:340465,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=340465"

No luck either.

Is my syntax correct?
 
Back
Top