wp-admin/edit-tags.php

[baptiste-fourmont]

Hello,

I got these error when i try to edit tags on wordpress (website/wp-admin/edit-tags.php).
It is legit, did someone know how to fix it?

 ModSecurity: Access denied with code 403 (phase 2).`TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `25' ) [file "/usr/local/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 25)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.6.0-dev"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "WHOOPS"] [uri "/wp-admin/edit-tags.php"] [unique_id ""] [ref ""], client: WHOOPS, server: WHOOPS, request: "POST /wp-admin/edit-tags.php HTTP/1.1", host: "WHOOPS", referrer: "https:/website/wp-admin/term.php?taxonomy=category&tag_ID=001&post_type=post&lang=en&wp_http_referer=%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dcategory"

[EsadCetiner]

@baptiste-fourmont Thanks for the report, unfortunately the log line you provided isn't very detailed so there's not much to go on.

If you search for [unique_id ""] (looks like you removed the id in your post) in your modsec_audit.log you should find a detailed transaction log about the false positive.

[ffais]

Hello,
I've the same issue, I'm using nginx-ingress controller with mod security enabled.

This is the log:
json {"transaction":{"client_ip":"masked-ip","time_stamp":"Mon Oct 28 08:45:12 2024","server_id":"b7fe1de4a88e84e14d9b0891b58339c45cc18110","client_port":12463,"host_ip":"10.0.4.209","host_port":443,"unique_id":"173010511268.526372","request":{"method":"POST","http_version":2.0,"uri":"/wp-admin/edit-tags.php","body":"action=editedtag&tag_ID=12&taxonomy=post_tag&_wp_original_http_referer=https%3A%2F%2Fsite_url%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dpost_tag&_wpnonce=3e8d7294fb&_wp_http_referer=%2Fwp-admin%2Fterm.php%3Ftaxonomy%3Dpost_tag%26tag_ID%3D12%26post_type%3Dpost%26wp_http_referer%3D%252Fwp-admin%252Fedit-tags.php%253Ftaxonomy%253Dpost_tag&name=test&slug=test&description=test","headers":{"upgrade-insecure-requests":"1","content-type":"application/x-www-form-urlencoded","origin":"https://site_url","referer":"https://site_url/wp-admin/term.php?taxonomy=post_tag&tag_ID=12&post_type=post&wp_http_referer=%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dpost_tag","pragma":"no-cache","accept-encoding":"gzip, deflate, br, zstd","cookie":"wordpress_sec_d81acb8c7ef6885889c257ab1ceb8eaa=dslab_admin%7C1730277713%7C7xfqkZHqladQWIFhs06hIBqex3rUggBH6XGPm3MHE0E%7C72c3045502b8ee258057fee8123ee19bb343c5419c443b5ccaf6979af60b8279; _ga=GA1.1.1319425845.1619010824; _ga_W1YS7HQYF2=GS1.2.1727694804.15.0.1727694804.0.0.0; _ga_D22M71HZKQ=GS1.1.1681292760.1.1.1681292780.0.0.0; _ga_6T1E4Q808X=GS1.1.1729870670.6.0.1729870670.0.0.0; wp-settings-time-1=1730104913; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_d81acb8c7ef6885889c2522227ab1ceb8eaa=dslab_admin%7C1730277713%7C7xfqkZHqladQWIFhs06hIBqex3rUggBH6XGPm3MH222E0E%7C4a20fdfedc98ac3ddea39df4bc1f9c0286ad33399a1e9935ec7c8436b4937f2f0b6; wp-settings-1=libraryContent%3Dbrowse; et-editor-available-post-1-bb=bb","content-length":"376","priority":"u=0, i","accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3","te":"trailers","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8","cache-control":"no-cache","user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0","sec-fetch-site":"same-origin","sec-fetch-dest":"document","host":"site_url","sec-fetch-mode":"navigate","sec-fetch-user":"?1"}},"response":{"http_code":403,"headers":{"Server":"","Server":"","Date":"Mon, 28 Oct 2024 08:45:12 GMT","Content-Length":"146","Content-Type":"text/html","Connection":"close","Strict-Transport-Security":"max-age=31536000; includeSubDomains"}},"producer":{"modsecurity":"ModSecurity v3.0.12 (Linux)","connector":"ModSecurity-nginx v1.0.3","secrules_engine":"Enabled","components":["OWASP_CRS/4.4.0\""]},"messages":[{"message":"Remote Command Execution: Unix Command Injection (command without evasion)","details":{"match":"Matched \"Operator `Rx' with parameter `(?i)(?:b[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?u[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$[!#\\(\\*\\-0-9\\?@_a-\\{]*)?\\x5c?s[\\\"'\\)\\[\\x5c]*(?:(?:(?:\\|\\||&&)[\\s\\x0b]*)?\\$ (7493 characters omitted)' against variable `ARGS:_wp_http_referer' (Value: `/wp-admin/term.php?taxonomy=post_tag&tag_ID=12&post_type=post&wp_http_referer=%2Fwp-admin%2Fedit-tag (27 characters omitted)' )","reference":"o56,6v1724,127","ruleId":"932235","file":"/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf","lineNumber":"181","data":"Matched Data: =post& found within ARGS:_wp_http_referer: /wp-admin/term.php?taxonomy=post_tag&tag_ID=12&post_type=post&wp_http_referer=%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dpost_tag","severity":"2","ver":"OWASP_CRS/4.4.0","rev":"","tags":["application-multi","language-shell","platform-unix","attack-rce","paranoia-level/1","OWASP_CRS","capec/1000/152/248/88","PCI/6.5.2"],"maturity":"0","accuracy":"0"}},{"message":"Inbound Anomaly Score Exceeded (Total Score: 5)","details":{"match":"Matched \"Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' )","reference":"","ruleId":"949110","file":"/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf","lineNumber":"222","data":"","severity":"0","ver":"OWASP_CRS/4.4.0","rev":"","tags":["anomaly-evaluation","OWASP_CRS"],"maturity":"0","accuracy":"0"}}]}}

[EsadCetiner]

@ffais Thanks for the log line, I've opened a PR here: #65

@ffais @baptiste-fourmont can you both please test the PR and let me know if it fixes your issues?

[ffais]

@EsadCetiner I tested it and it works perfectly, thanks.

[baptiste-fourmont]

I'm can test it only next week. I let you know when i test it. Thanks you :)

[EsadCetiner]

@baptiste-fourmont I haven't heard back from you in a while so I'm assuming this issue has been fixed. Please re-open if your still having issues.