Since a recent update of wordpress or potentially Woocommerce, i cant save anymore custom fields that includes urls on the "edit-account" page of woocommerce, it triggers a ModSecurity Rule, basically if i had 'https://' in the input it fails :
The Error
ModSecurity: Access denied with code 403 (phase 2) Match of "beginsWith %{request_headers.host}" against "TX:1" required
Protected by Atomicorp.com Basic Non-Realtime WAF Rules: URL detected as argument, possible RFI attempt detected
The Sec Rule triggering the error
SecRule ARGS|!ARGS:/_online_/|!ARGS:reason|!ARGS:installFull|!ARGS:b2w|!ARGS:/email/|!ARGS:term|!ARGS:/source_array/|!ARGS:/button/|!ARGS:rdfrom|!ARGS:/bestand/|!ARGS:/^request/|!ARGS:m_wb|!ARGS:/customfield/|!ARGS:/keyword/|!ARGS:embed|!ARGS:/cmsform/|!ARGS:/title/|!ARGS:social_network|!ARGS:scope|!ARGS:/^vfb-/|!ARGS:to|!ARGS:pu|!ARGS:sima|!ARGS:/movie/|!ARGS:dns|!ARGS:contact_info|!ARGS:source_code|!ARGS:/^ninja_forms/|!ARGS:listserv|!ARGS:p_zoho|!ARGS:sugarroot|!ARGS:cyswllt|!ARGS:/^attribute/|!ARGS:/^channel/|!ARGS:/^wdf_joodb/|!ARGS:/^replacer/|!ARGS:options[alter][path]|!ARGS:/css_frame/|!ARGS:ad_code|!ARGS:tickets|!ARGS:war|!ARGS:slug|!ARGS:/whereto/|!ARGS:/search/|!ARGS:pack|!ARGS:origem|!ARGS:/extra_info/|!ARGS:str_sitio|!ARGS:post-id|!ARGS:xml|!ARGS:/from_add/|!ARGS:/metatags/|!ARGS:radio|!ARGS:shire|!ARGS:/^svc_id/|!ARGS:RelayState|!ARGS:ds_source|!ARGS:/^si_contact_/|!ARGS:next|!ARGS:clip|!ARGS:kotisivu|!ARGS:mb|!ARGS:jibber|!ARGS:pattern_select|!ARGS:wordpress_extra|!ARGS:origin|!ARGS:fail|!ARGS:success|!ARGS:move_to|!ARGS:/^es-field/|!ARGS:/^listingfields/|!ARGS:svc_id|!ARGS:/^constant_contact/|!ARGS:hq|!ARGS:/flsrv/|!ARGS:svc_id|!ARGS:junkWords|!ARGS:/foto/|!ARGS:/^attr_/|!ARGS:name_ip|!ARGS:/stream/|!ARGS:canonical|!ARGS:/addy/|!ARGS:rel_path|!ARGS:aim|!ARGS:api|!ARGS:details|!ARGS:/^field/|!ARGS:profile_id|!ARGS:/^complete_action/|!ARGS:/^option_value/|!ARGS:/buzz/|!ARGS:cc_list_id|!ARGS:/jform/|!ARGS:/liveUpdate/|!ARGS:/service/|!ARGS:marqueur|!ARGS:/vertex/|!ARGS:metavalue|!ARGS:binary|!ARGS:snippet|!ARGS:/^ZA_ARTICLE/|!ARGS:obr|!ARGS:^/xcpr_/|!ARGS:back|!ARGS:/pic/|!ARGS:/plaatje/|!ARGS:profile|!ARGS:repository|!ARGS:os|!ARGS:ticketmaster|!ARGS:/destination/|!ARGS:r|!ARGS:/speedtest/|!ARGS:voice|!ARGS:/live$/|!ARGS:/tripadvisor/|!ARGS:/iTunes/|!ARGS:service|!ARGS:lang_default_value|!ARGS:weather|!ARGS:/metakey/|!ARGS:/target/|!ARGS:/password/|!ARGS:/note/|!ARGS:form_profile|!ARGS:/theme/|!ARGS:ip|!ARGS:/afbeelding/|!ARGS:/screenshot/|!ARGS:/^input_/|!ARGS:embed_code|!ARGS:/^flb/|!ARGS:gwefan|!ARGS:/xthreads/|!ARGS:flv|!ARGS:dest|!ARGS:languageChange|!ARGS:/^perch_/|!ARGS:music|!ARGS:/^p_posts/|!ARGS:input_50|!ARGS:/resolv/|!ARGS:/^install_package/|!ARGS:/address/|!ARGS:refsrc|!ARGS:hp|!ARGS:/censor/|!ARGS:UpdateNote|!ARGS:regx_root|!ARGS:input_3|!ARGS:/avatar/|!ARGS:obj_itop|!ARGS:/feed/|!ARGS:/^cf/|!ARGS:/uri/|!ARGS:color_chart|!ARGS:ui|!ARGS:armoury|!ARGS:reverbnation|!ARGS:/return/|!ARGS:fromp|!ARGS:/site/|!ARGS:_ref|!ARGS:owa_protocol|!ARGS:/homa/e|!ARGS:live|!ARGS:/^func_key/|!ARGS:/trackback/|!ARGS:gmaps|!ARGS:locationhp|!ARGS:loc|!ARGS:pfad|!ARGS:CUSTID|!ARGS:/img/|!ARGS:/photo/|!ARGS:/media/|!ARGS:parent_name|!ARGS:back|!ARGS:/facebook/|!ARGS:/instagram/|!ARGS:/pinterest/|!ARGS:/twitter/|!ARGS:/flickr/|!ARGS:/youtube/|!ARGS:/blog/|!ARGS:/vid/|!ARGS:_update_failure|!ARGS:_update_success|!ARGS:importremote|!ARGS:hdwok|!ARGS:hdwnook|!ARGS:OpenID|!ARGS:/^akID/|!ARGS:/^hilit/|!ARGS:/reciprocal/|!ARGS:/callback/|!ARGS:subject|!ARGS:/sponsors/|!ARGS:want2Read|!ARGS:direct|!ARGS:/thumb/|!ARGS:fflv|!ARGS:direct|!ARGS:source_location|!ARGS:/^fetch/|!ARGS:/web/|!ARGS:wlp|!ARGS:/openid/|!ARGS:/adres/|!ARGS:/logo/|!ARGS:go|!ARGS:/^utm/|!ARGS:resolution|!ARGS:/export/|!ARGS:new_channel|!ARGS:/wsdl/|!ARGS:/soap/|!ARGS:path[alias]|!ARGS:/message/|!ARGS:fighter_name|!ARGS:/^element/|!ARGS:camefrom|!ARGS:ucapi|!ARGS:/click/|!ARGS:rf|!ARGS:sourcetitle|!ARGS:form_pathscript|!ARGS:embeddump|!ARGS:/www/|!ARGS:/page/|!ARGS:hdwok|!ARGS:result|!ARGS:/^setting/|!ARGS:store|!ARGS:continue|!ARGS:/href/|!ARGS:/^win/|!ARGS:lec_rm|!ARGS:n-state|!ARGS:eself|!ARGS:tax23_RefDocLoc|!ARGS:goback|!ARGS:OVRAW|!ARGS:outputfile|!ARGS:background|!ARGS:dcsref|!ARGS:path|!ARGS:ico|!ARGS:big|!ARGS:gmu|!ARGS:entry|!ARGS:tos|!ARGS:/image/|!ARGS:user_xup|!ARGS:value_3|!ARGS:request|!ARGS:/server/|!ARGS:confirm|!ARGS:/^groups/|!ARGS:came_from|!ARGS:prodDownload|!ARGS:/^stylevar/|!ARGS:dcsqry|!ARGS:typePageCode|!ARGS:rules|!ARGS:/^config/|!ARGS:/^revchurch/|!ARGS:goto|!ARGS:/body/|!ARGS:/^product_long_/|!ARGS:/content/|!ARGS:/banner/|!ARGS:heading|!ARGS:cl_post|!ARGS:board_msg|!ARGS:/html/|!ARGS:arg2|!ARGS:/^cf_field_/|!ARGS:msg|!ARGS:configuration_key|!ARGS:/comment/|!ARGS:enquiry|!ARGS:/desc/|!ARGS:customer_footer|!ARGS:FAQTitle|!ARGS:/host/|!ARGS:/text/|!ARGS:whereto|!ARGS:pathToPiwik|!ARGS:admin_footer|!ARGS:pingback_service|!ARGS:showStr|!ARGS:/http/|!ARGS:fetch|!ARGS:/txt/|!ARGS:mesg|!ARGS:forward|!ARGS:announce_post|!ARGS:/^data/|!ARGS:/template/|!ARGS:teaser_js|!ARGS:/^item_/|!ARGS:footer_scripts|!ARGS:u|!ARGS:/header/|!ARGS:action|!ARGS:cptpl_dir|!ARGS:arg6|!ARGS:copyright|!ARGS:ima|!ARGS:art_summary|!ARGS:art_source|!ARGS:cat_sponsor|!ARGS:stretch|!ARGS:automode|!ARGS:myfilm1|!ARGS:/^tp_article/|!ARGS:newsettings[files_dir]|!ARGS:/usps_label/|!ARGS:short_story|!ARGS:vinculo|!ARGS:cts|!ARGS:response|!ARGS:hd_request|!ARGS:relocate|!ARGS:add_fd3|!ARGS:soundname|!ARGS:/^bbcode_/|!ARGS:/vimeo/|!ARGS:/link/|!ARGS:faqText|!ARGS:request_uri|!ARGS:/shopvk/|!ARGS:/google/|!ARGS:definition|!ARGS:tpl_cont|!ARGS:/domain/|!ARGS:new_tng_path|!ARGS:babynaam|!ARGS:Comentario|!ARGS:/^dynadata/|!ARGS:paypal_ipn|!ARGS:title|!ARGS:/frame/|!ARGS:l1_bdy|!ARGS:edit_full|!ARGS:article|!ARGS:forum|!ARGS:uri|!ARGS:/^ViewState/|!ARGS:postvars|!ARGS:base1|!ARGS:layout|!ARGS:GMAP_KEY|!ARGS:full_story|!ARGS:source|!ARGS:set_static_uri_to|!ARGS:Infos|!ARGS:rev_you_tube|!ARGS:GMAP_KEY|!ARGS:newsBody|!ARGS:user_sig|!ARGS:cur|!ARGS:yahoo|!ARGS:sig|!ARGS:KT_Update1|!ARGS:theVisibility|!ARGS:friend_M|!ARGS:before|!ARGS:sm_b_style|!ARGS:success|!ARGS:/^css/|!ARGS:short_story|!ARGS:vthumb|!ARGS:introduction|!ARGS:register_at|!ARGS:revnews_ad_120|!ARGS:newText|!ARGS:PageCopy|!ARGS:option[78]|!ARGS:agendWebPage|!ARGS:/icon/|!ARGS:/ftp/|!ARGS:button_dir|!ARGS:x_organizational|!ARGS:form_element3|!ARGS:answer|!ARGS:intro|!ARGS:c_msg|!ARGS:how_did_you_hear_about_us|!ARGS:back_to|!ARGS:/sql/|!ARGS:prefix|!ARGS:problem|!ARGS:archive_chrono|!ARGS:thm|!ARGS:_RW_|!ARGS:/rss/|!ARGS:/url/|!ARGS:lnk|!ARGS:/gplus/|!ARGS:/pinterest/|!ARGS:/redirect/|!ARGS:outbound|!ARGS:out|!ARGS:/refer/|!ARGS:helpbox|!ARGS:redir|!ARGS:ret|!ARGS:oaparams|!ARGS:loc|!ARGS:resource|!ARGS:wimpyApp|!ARGS:wimpySkin|!ARGS:params[altTag]|!ARGS:inc|!ARGS:fck_brief|!ARGS:resource_box|!ARGS:areaContent2|!ARGS:ref|!ARGS:Post|!ARGS:reply|!ARGS:last_msg|!ARGS:tresc|!ARGS:pay_list_type|!ARGS:stories_cat|!ARGS:sUrl|!ARGS:view|!ARGS:howhear|!ARGS:oldmsg|!ARGS:/^FCKeditor/|!ARGS:excerpt|!ARGS:saved_data|!ARGS:/signature/|!ARGS:disc|!ARGS:utmr|!ARGS:Query|!ARGS:steps|!ARGS:jumpTo|!ARGS:memo|!ARGS:flvSource|!ARGS:_docSelector|!ARGS:from|!ARGS:footer|!ARGS:cmstr|!ARGS:remotefile|!ARGS:location|!ARGS:dest|!ARGS:Dialog30|!ARGS:Dialog7|!ARGS:configParams[api][configParamValue]|!ARGS:/^wimpy/|!ARGS:/_ref/|!ARGS:/^pr_/|!ARGS:addendum|!ARGS:utmp|!ARGS:whydowork_code|!ARGS:/ajax/|!ARGS:backto|!ARGS:/^rsargs/|!ARGS:op|!ARGS:old_file[]|!ARGS:zajawka|!ARGS:summary|!ARGS:input_name[4]|!ARGS:input_name[0]|!ARGS:ret|!ARGS:area|!ARGS:Brief_Profile|!ARGS:summary|!ARGS:data|!ARGS:st_widget|!ARGS:ban_reason|!ARGS:def|!ARGS:playlist|!ARGS:enlace|!ARGS:data_codepress|!ARGS:Store_OUI_GlobalFooter|!ARGS:/^dynafield/|!ARGS:wysiwyg|!ARGS:banner|!ARGS:env_ping_list|!ARGS:subdir[0]|!ARGS:x_Instructions|!ARGS:f_license|!ARGS:env_ping_list|!ARGS:xsponsor2|!ARGS:/^k2extra/ "^(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?)://(.*)$" \
"phase:2,deny,status:403,capture,id:33340162,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain,rev:294,severity:2,msg:'Protected by Atomicorp.com Basic Non-Realtime WAF Rules: URL detected as argument, possible RFI attempt detected',logdata:'%TX:1,%{matched_var_name}'"
My Wordpress functions are the following
<?php
// ADD CUSTOM FIELD
add_action( 'woocommerce_edit_account_form', 'add_marketo_fields_to_edit_account_form' );
function add_marketo_fields_to_edit_account_form() {
$user = wp_get_current_user();
echo '<input type="url" class="woocommerce-Input woocommerce-Input--text input-text" name="custom_url" id="custom_url" placeholder="https://example.com" value="'.esc_attr( $user->custom_url ).'" />';
}
// SAVE CUSTOM FIELD
add_action( 'woocommerce_save_account_details', 'save_marketo_fields_account_details', 12, 1 );
function save_marketo_fields_account_details( $user_id ) {
if( isset( $_POST['custom_url'] ) ) {
update_user_meta( $user_id, 'custom_url', sanitize_url( $_POST['custom_url'] ) );
}
}
?>
if someone here can point me to teh right direction, i cant figure if its a sanityze issue, an encoding issue, a custom SecRule to add, ...
While finding a solution i've disabled the related ID "33340162" triggering this error but its a bad practice has my server would potentially have a security issue?
i've tried to add a custom secrule but with no luck :
SecRule REQUEST_URI "@streq /edit-account" "id:1,phase:2,nolog,allow"
CRS dev-on-duty here. Even though this is obviously not a CRS rule, I'm trying to help here. The mentioned rule 33340162 seems to exclude a lot of arguments from the check already: !ARGS:/_online_/|!ARGS:reason|...
Obviously this custom_url
is a new argument whose exclusion is still missing in the rule. The rule checks if an other URL than the one specified in the host header was entered (to avoid RFI), as someone else noted.
What you can do: Instead of removing the rule 33340162
entirely, tune the rule so that it no longer checks your custom_url
argument (or whatever your argument is called) with:
SecRuleUpdateTargetById 33340162 !ARGS:custom_url