Image Upload Using TinyMCE and Mod Security

Please report bugs here!

Moderator: Thorsten

Post Reply
fidividi
Posts: 14
Joined: Sat May 30, 2015 11:21 am

Image Upload Using TinyMCE and Mod Security

Post by fidividi » Sat May 30, 2015 11:50 am

Hello,

The way TineMCE is setup on phpMyFAQ is to move folders and this matches a mod security pattern and causes a block which most hosting providers won't whitelist. The pattern is: Pattern match "/\\.\\./" at REQUEST_URI

As a result, the script is blocked, and a security warning through javascript and browser pops up, showing: "SyntaxError: Unexpected token <"

The most security rule id is 950103 and the rule is:

#
# -=[ Directory Traversal Attacks ]=-
#
# Ref: https://github.com/wireghoul/dotdotpwn
#
# [ Encoded /../ Payloads ]
#
SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" "phase:request, msg:'Path Traversal Attack (/../)', id:'950103', ver:'OWASP_CRS/3.0.0', rev:'3', maturity:'9', accuracy:'7', t:none, block, severity:CRITICAL, logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', capture, tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.lfi_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"



I wonder how anyone manage to get their picture uploader working.

Any help much appreciated.

Thorsten
Posts: 14722
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: Image Upload Using TinyMCE and Mod Security

Post by Thorsten » Sun May 31, 2015 6:57 pm

Hi,

well, this is a misconfigured mod_security option in my humble opinion.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

fidividi
Posts: 14
Joined: Sat May 30, 2015 11:21 am

Re: Image Upload Using TinyMCE and Mod Security

Post by fidividi » Sun May 31, 2015 8:30 pm

Thorsten wrote:Hi,

well, this is a misconfigured mod_security option in my humble opinion.

bye
Thorsten


Thank you for your reply.

But we got a different answer from our hosting provider, and a bit of research shows they are not wrong. Their reply when we reported this was:
Unfortunately due to the security risks involved with the error code that Modsecurity is providing, we will not be listing the block due to the fact how the script works.

It is going ahead and taking files uploaded and moving them into move it outside the CMS which is not standard behavior, which could add malicious files into the main part of your account, due to this segment here: Pattern match "/\.\./" at REQUEST_URI.

Thorsten
Posts: 14722
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: Image Upload Using TinyMCE and Mod Security

Post by Thorsten » Sun May 31, 2015 8:48 pm

Hi,

this is the first report of this kind of issue. But we don't put any effort into a possible fix for this. We removed that part of code in 2.9 as we switch to another image manager solution in 2.9.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

fidividi
Posts: 14
Joined: Sat May 30, 2015 11:21 am

Re: Image Upload Using TinyMCE and Mod Security

Post by fidividi » Mon Jun 01, 2015 3:31 pm

Thorsten wrote:Hi,

this is the first report of this kind of issue. But we don't put any effort into a possible fix for this. We removed that part of code in 2.9 as we switch to another image manager solution in 2.9.

bye
Thorsten
Thanks. That is great info.

When is 2.9 going to be released?

Thorsten
Posts: 14722
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: Image Upload Using TinyMCE and Mod Security

Post by Thorsten » Mon Jun 01, 2015 3:34 pm

Hi,

I'm working on it, hopefully as soon as possible.

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist

Post Reply