phpmyadminmod-security

OWAS core rules break phpMyAdmin, ModSecurity ignores exception rule

Unsurprisingly, the OWAS coreset rules 3.3.2 break phpMyAdmin.

(Is there anything OWAS doesn't break?)

Among other things, they block importing SQL files into the database.

To circumvent this, I have written an exception rule (in fact, tried many variants of it) and placed it into REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Even the most extreme variant, shutting the engine off for the subdmain in which phpmyadmin is installed, doesn't seem to work:

 SecRule SERVER_NAME "<hostname>" \
 "id:10000008,\
 phase:2,\
 pass,\
 nolog,\
 ctl:ruleEngine=off"

After restarting apache several times, and ever rebooting the whole system, I still get the same audit error:

Message: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/modsecurity/modsecurity.conf"] [line "86"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client <ipnumber>] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/etc/modsecurity/modsecurity.conf"] [line "86"] [id "200004"] [msg "Multipart parser detected a possible unmatched boundary."] [hostname "<hostname>"] [uri "/index.php"] [unique_id "<idcode>"]

yes, I did try a more clever exception rule, targeting only rule id 200004, but to no avail:

SecRule REQUEST_URI "@beginsWith /index.php" \
 "id:10000008,\
 phase:2,\
 pass,\
 nolog,\
 ctl:ruleRemoveById=200004"

I have other exception rules set, that shut the engine off for a target hostname, or target rules ids, and they seem to work.

Why is this not working for phpmyadmin, or for this particular subdomain?

Solution

  • For anybody interested, here's how I solved this: in the crs-setup.conf you can find the list of file extensions that ModSecurity will block.

    Among them, .sql, which renders impossible import/export operation within phpmyadmin. After removing it, I could finally use phpmyadmin normally:

    SecAction \
 "id:900240,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"