mod_security and blocking of posted HTML tags

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

mod_security and blocking of posted HTML tags

Post by cmb » Fri Mar 14, 2014 10:51 pm

Hello Community,

today CMSimple 4.4 has been released with the following information:
The reason are special configurations of ModSecurity, which interprets html tags as a "dangerous code attack" in some cases, and makes saving of the language files impossible. After that it is possible, that the IP adress of the administrator is added to a blacklist, and also ftp access is blocked for some hours.
Obviously the new version has removed all HTML tags from the language files. While I am aware that mod_security can be configured to block any posts that contain HTML tags (to prevent XSS attacks; what IMHO should be left to the application), I wonder if that wouldn't block any posting of pages as well (in which case these features would have to be disabled to be able to work with CMSimple, or most other CMSes also). :?

Does anybody have further information regarding this issue? Do we have to make any adjustments to CMSimple_XH as well?

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Holger
Site Admin
Posts: 3470
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany

Re: mod_security and blocking of posted HTML tags

Post by Holger » Mon Mar 17, 2014 12:08 pm

Hmm, never heard about such a configuration until now. But things may change - even if I can't believe that this will be the recommended default setup in the future.
But I think removing all html from the language-files is a too hasty solution for that problem.
cmb wrote:I wonder if that wouldn't block any posting of pages as well
Maybe it's just dependig on the file extension (which would not make much more security or sense at all)? I wonder if saving the template.htm should work there?

Maybe Zips (=Preben) knows more about that issue. He's the person with the server mentioned in the thread at the CMSimple4-Forum. I'll drop him a line...

ZiPs
Posts: 633
Joined: Thu May 22, 2008 6:17 pm
Location: Faxe, Denmark
Contact:

Re: mod_security and blocking of posted HTML tags

Post by ZiPs » Mon Mar 17, 2014 12:31 pm

On http://www.domaindirect.dk/ the installed ModSecurity and interprets the CMSimple using code which is considered as hacker attacks

https://atomicorp.com/products/modsecurity.html rule 350147

Gert has borrowed one of my domains to test CMSimple

Here are domaindirect responses in Danish
domaindirect wrote:Ja, da CMSimple benytter kode der kan opfattes som hacker-angreb af Mod Security, skal der laves undtagelser for sites der benytter CMSimple. Alternativet er at gøre CMSimple opmærksom på problemet og de ændrer deres kode. Der er fx. ingen problemer med Joomla eller Wordpress iht ModSecurity.
/ZiPz
Preben Dahl | Webmaster cmsimple.dk | Projekt-og domæne ejer Gert Ebersbach

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: mod_security and blocking of posted HTML tags

Post by cmb » Mon Mar 17, 2014 1:26 pm

Thanks for the details, Preben. However, I'm still at a loss. Looking for the mentioned rule 350147 brought up https://atomicorp.com/wiki/index.php?title=WAF_350147, but this lacks any details. From what I can see, in CMSimple 4.4 lots of b, em, strong and p tags have been removed from the English language file, but those don't qualify for being security issues at all, IMHO. Furthermore an element has been removed, but even that is harmless.

The German language file contained the following:
Diese Einstellung kann unter <b>Einstellungen->CMSimple->CMS</b> geändert werden.
That might be more suspicious due to the > signs, which are not part of a tag. Maybe only such issues have been the real problem?
Holger wrote:Maybe it's just dependig on the file extension (which would not make much more security or sense at all)?
I doubt that, because these rules most likely inspect the input (GET and POST) only, and from there mod_security can't know where to store the information (in most cases it would go to a database anyway).
Holger wrote:But I think removing all html from the language-files is a too hasty solution for that problem.
I fully agree.
Christoph M. Becker – Plugins for CMSimple_XH

Holger
Site Admin
Posts: 3470
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany

Re: mod_security and blocking of posted HTML tags

Post by Holger » Mon Mar 17, 2014 1:42 pm

cmb wrote:I doubt that, because these rules most likely inspect the input (GET and POST) only, and from there mod_security can't know where to store the information (in most cases it would go to a database anyway).
Of course. That's nonsens...

So what to do?

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: mod_security and blocking of posted HTML tags

Post by cmb » Mon Mar 17, 2014 2:38 pm

Holger wrote:So what to do?
Spending a lot of time for either removing all tags from all language files and working around some resulting issues (there are many plugins out there), or finding the exact issue. I prefer the latter, so I'll try to reproduce the problem behavior.
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: mod_security and blocking of posted HTML tags

Post by cmb » Mon Mar 17, 2014 9:46 pm

ZiPs borrowed me his server for some tests. Many thanks!

At first I tested CMSimple 4.3.3 and saving the English language settings caused the server to block. Saving the CMSimple_XH 1.6.1 language settings (I tested the core and all plugins) caused no blocking.

To keep things simple I wrote a plugin "test", with a single language setting "test". Saving the language settings worked fine for many inputs, but it failed for those where two tags were adjacent (perhaps separated by whitespace only). Interestingly, saving the same input from the editor did work without any issues!

To further simplify things (and to be able to exclude further issues) and to make then more easily reproducible, I simulated the saving of the language settings with the following document:

Code: Select all

<!DOCTYPE html>
<html>
    <head>
        <title>Atomicorp WAF</title>
    </head>
    <body>
        <form action="./atomicorp.php?&test" method="post">
            <input type="hidden" name="admin" value="plugin_language">
            <input type="hidden" name="action" value="plugin_save">
            <textarea name="PL3bbeec384_test"><h1>Title</h1>
<p><strong>The</strong> blah blah.</p></textarea>
            <input type="submit" name="plugin_submit" value="Save">
        </form>
    </body>
</html>
Submitting the form causes blocking, as I had expected. Rather interestingly, the form submission works fine, if the name of the textarea is changed to "PL3bbeec384_text", for instance. So apparently, the rules don't watch only the values, but some combination of names and values. Finding out the details about these rules doesn't seem to help in the long run, as they might be changed, so it's probably best to avoid any adjacent tags in the language files, and hoping that saving from the editor and saving the template (which currently work) will not break in the future.
Christoph M. Becker – Plugins for CMSimple_XH

Holger
Site Admin
Posts: 3470
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany

Re: mod_security and blocking of posted HTML tags

Post by Holger » Mon Mar 17, 2014 11:31 pm

Hi Christoph,

thanks for having a closer look on that!
cmb wrote: so it's probably best to avoid any adjacent tags in the language files
So a code like

Code: Select all

<p>Some text.</p><p>More text</p>
may cause problems?
Really nice. I've used that often to format the tooltip-text in the plugin config... :twisted:

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: mod_security and blocking of posted HTML tags

Post by cmb » Tue Mar 18, 2014 12:14 am

Holger wrote:
cmb wrote: so it's probably best to avoid any adjacent tags in the language files
So a code like

Code: Select all

<p>Some text.</p><p>More text</p>
may cause problems?
Really nice. I've used that often to format the tooltip-text in the plugin config... :twisted:
Exactly such markup might cause problems, but only in combination with some parameter names. If the key is "test" it fails, if the key is "text" it succeeds, for instance.

If have not tested this[1], but I assume that renaming the editor textarea to "test" will cause the server to block after saving any page. And even if we stick with "text", that would fail in the future, if the rules will be extended respectively.

So, IMHO, all bets are off, and respective fixes are best done on an "if needed" base. New development may avoid adjacent tags in any config settings for best compatibility.

Theoretically, another solution would be to mangle such HTML by JavaScript before it is sent (and later demangle it), but I hate the idea.

Another solution might be to try to contact atomicorp.com about the details of their rules, and request changes if appropriate.

[1] I have tested the form from above with the PL3bbeec384_ prefix removed, however, and that failed.
Christoph M. Becker – Plugins for CMSimple_XH

michaelsidenius
Posts: 12
Joined: Mon Sep 07, 2009 3:24 pm

Re: mod_security and blocking of posted HTML tags

Post by michaelsidenius » Fri Aug 22, 2014 5:06 pm

Sorry to add on this old thread, but I can confirm that removing double HTML tags from the danish language file has solved my problem with consequtive lockouts from my web hotel vendor NetPlads.DK, while using the danish language file, and trying to save it.

They run a strong security policy and I have been caught many times, waiting 24 hours to be released, practically hindering any sort of debug.

So thank you for the debugging efffort!

Regards,
Michael

Post Reply