Hello,
The way TineMCE is setup on phpMyFAQ is to move folders and this matches a mod security pattern and causes a block which most hosting providers won't whitelist. The pattern is: Pattern match "/\\.\\./" at REQUEST_URI
As a result, the script is blocked, and a security warning through javascript and browser pops up, showing: "SyntaxError: Unexpected token <"
The most security rule id is 950103 and the rule is:
#
# -=[ Directory Traversal Attacks ]=-
#
# Ref: https://github.com/wireghoul/dotdotpwn
#
# [ Encoded /../ Payloads ]
#
SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" "phase:request, msg:'Path Traversal Attack (/../)', id:'950103', ver:'OWASP_CRS/3.0.0', rev:'3', maturity:'9', accuracy:'7', t:none, block, severity:CRITICAL, logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', capture, tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.lfi_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
I wonder how anyone manage to get their picture uploader working.
Any help much appreciated.
Image Upload Using TinyMCE and Mod Security
Moderator: Thorsten
Re: Image Upload Using TinyMCE and Mod Security
Hi,
well, this is a misconfigured mod_security option in my humble opinion.
bye
Thorsten
well, this is a misconfigured mod_security option in my humble opinion.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: Image Upload Using TinyMCE and Mod Security
Thorsten wrote:Hi,
well, this is a misconfigured mod_security option in my humble opinion.
bye
Thorsten
Thank you for your reply.
But we got a different answer from our hosting provider, and a bit of research shows they are not wrong. Their reply when we reported this was:
Unfortunately due to the security risks involved with the error code that Modsecurity is providing, we will not be listing the block due to the fact how the script works.
It is going ahead and taking files uploaded and moving them into move it outside the CMS which is not standard behavior, which could add malicious files into the main part of your account, due to this segment here: Pattern match "/\.\./" at REQUEST_URI.
Re: Image Upload Using TinyMCE and Mod Security
Hi,
this is the first report of this kind of issue. But we don't put any effort into a possible fix for this. We removed that part of code in 2.9 as we switch to another image manager solution in 2.9.
bye
Thorsten
this is the first report of this kind of issue. But we don't put any effort into a possible fix for this. We removed that part of code in 2.9 as we switch to another image manager solution in 2.9.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: Image Upload Using TinyMCE and Mod Security
Thanks. That is great info.Thorsten wrote:Hi,
this is the first report of this kind of issue. But we don't put any effort into a possible fix for this. We removed that part of code in 2.9 as we switch to another image manager solution in 2.9.
bye
Thorsten
When is 2.9 going to be released?
Re: Image Upload Using TinyMCE and Mod Security
Hi,
I'm working on it, hopefully as soon as possible.
bye
Thorsten
I'm working on it, hopefully as soon as possible.
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist