1

I have a wordpress plugin that is attempting to save information but is being blocked. This may be a false positive I'm not sure. How can I enable one specific plugin to bypass whatever rule is causing it to be blocked?

Below is the error code my host is throwing at me.

[Tue Sep 29 08:50:45 2015] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 15 at TX:sql_injection_score. [file "/etc/httpd/modsecurity.d/modsecurity_crs_49_inbound_blocking.conf"] [line "51"] [id "4049002"] [msg "SQL Injection Detected (score 20): XSS Attack Detected"] [hostname "xxxxx.com"] [uri "/wp-admin/admin.php"] [unique_id "VgqJJWjP6lgAAEaaTogAAAAZ"]

It's an already existing plugin. It is called WP Social Invitations - wordpress.org/plugins/wp-social-invitations To be completely honest most of this is above my head. I'm not sure what code I would even need to show you. The developer told me that they use the wordpress default wp_options table to store data, so this error shouldn't occur

Douglas Lovin
  • 11
  • 1
  • 4
  • Here is the transfer log as well. `yyy.yyy.yyy.yyy - - [29/Sep/2015:09:57:14 -0400] "POST /wp-cron.php?doing_wp_cron=1443535034.0516149997711181640625 HTTP/1.0" 200 - "-" "WordPress/4.3.1; https://xxxx.com" xxx.xxx.xxx.xxx - - [29/Sep/2015:09:57:13 -0400] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 47 "https://xxxx.com/wp-admin/admin.php?page=wsi" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"` – Douglas Lovin Sep 29 '15 at 13:59
  • Well, what are you trying to do with your plugin? We need to see some code to see if it's something that can be fixed... – Shotgun Ninja Sep 29 '15 at 14:41
  • It's an already existing plugin. It is called WP Social Invitations - https://wordpress.org/plugins/wp-social-invitations/ To be completely honest most of this is above my head. I'm not sure what code I would even need to show you. The developer told me that they use the wordpress default wp_options table to store data, so this error shouldn't occur. – Douglas Lovin Sep 29 '15 at 14:49
  • You should probably edit your question to include that information; it seems particularly relevant in this case. – Shotgun Ninja Sep 29 '15 at 14:50

1 Answers1

1

For a start view here to see some more information about ModSecurity: "ModSecurity Access Denied" in logs. I don't understand what its telling me.. Should I be concerned?

The error you've given shows that, for some reason, ModSecurity has flagged the request and blocked it.

The rule that has fired (4049002) is saying that a threshold has been passed. This must mean previous rule(s) have set that variable. So you need to give us the details on the previous errors that have set the sql_injection_score - presumably on the lines just above the one you've given.

Alternatively, you could just add the following config to your Apache config (e.g. .htaccess file) to prevent this rule firing at all:

SecRuleRemoveByID 4049002

However this removes the protection that rule gives you for SQL injection attacks. So the better option is to find the original rule(s) that caused this to fire and to see if you can whitelist just the cause of that, rather than the blanket whitelisting of this entire rule.

Community
  • 1
  • 1
Barry Pollard
  • 40,655
  • 7
  • 76
  • 92