英文:
Modsecurity block Google tag manager iframe
问题
我遇到了与以下问题中描述的相同问题。
这是错误日志:
[Tue May 16 18:19:38.745674 2023] [:error] [pid 1796577:tid 140122351191808] [remote CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Access denied with code 403 (phase 4). Match of "rx \\\\ssrc=\\\\x22https:\\\\/\\\\/www\\\\.googletagmanager\\\\.com\\\\/ns\\\\.html\\\\?id=GTM|\\\\ssrc=\\\\x22https:\\\\/\\\\/w\\\\.soundcloud\\\\.com\\\\/player\\\\/\\\\?url=" against "TX:0" required. [id "214540"] [rev "5"] [msg "COMODO WAF: Possibly malicious iframe tag in output||web.site|F|3"] [data "Matched Data: <iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none found within TX:0: <iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none"] [severity "ERROR"] [tag "CWAF"] [tag "FilterInFrame"] [hostname "web.site"] [uri "/index.php"] [unique_id "ZGOtGn8OVNnjiBWdgt2VdgADRxI"]
[Tue May 16 18:19:38.865218 2023] [:error] [pid 1796577:tid 140122167179008] [client CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|web.site|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "web.site"] [uri "/index.php"] [unique_id "ZGOtGn8OVNnjiBWdgt2VdgADRxI"]
这是配置文件/etc/modsecurity/comodo/19_Outgoing_FilterInFrame.conf的内容:
SecRule RESPONSE_BODY "<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\x22']{0,1}[^a-zA-Z0-9_]{0,}?\bdisplay\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\bnone\b" \
"id:214540,chain,msg:'COMODO WAF: Possibly malicious iframe tag in output||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:replaceComments,rev:5,severity:3,tag:'CWAF',tag:'FilterInFrame'"
SecRule &REQUEST_COOKIES:sugar_user_theme "@eq 0" \
"chain,t:none"
SecRule TX:0 "!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=" \
"t:none,t:urlDecodeUni"
SecRule RESPONSE_BODY "(?i:<[\t\n\r ]{0,}IFRAME[\t\n\r ]{0,}?[^>]{0,}?src=\x22javascript:)" \
"id:214550,msg:'COMODO WAF: Malicious iframe+javascript tag in output||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterInFrame'"
SecMarker SECMARKER_214400
如您所见,存在对googletagmanager和soundcloud的“白名单”,但似乎无法正常工作。网站上提到的iframe应该如下所示:
<!-- Google Tag Manager (noscript) -->
<noscript><iframe height="0" width="0" style="display:none;visibility:hidden" data-src="https://www.googletagmanager.com/ns.html?id=GTM-XXXZZZ" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
我不明白为什么以下“白名单规则”不起作用,您能帮助我吗?
SecRule TX:0 "!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=" \
"t:none,t:urlDecodeUni"
感谢您的时间。
尝试编辑正则表达式已经厌倦了。我期望“白名单”规则能起作用。
英文:
I have the same problem described in the following issue.
Here is the error log:
[Tue May 16 18:19:38.745674 2023] [:error] [pid 1796577:tid 140122351191808] [remote CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Access denied with code 403 (phase 4). Match of "rx \\\\ssrc=\\\\x22https:\\\\/\\\\/www\\\\.googletagmanager\\\\.com\\\\/ns\\\\.html\\\\?id=GTM|\\\\ssrc=\\\\x22https:\\\\/\\\\/w\\\\.soundcloud\\\\.com\\\\/player\\\\/\\\\?url=" against "TX:0" required. [id "214540"] [rev "5"] [msg "COMODO WAF: Possibly malicious iframe tag in output||web.site|F|3"] [data "Matched Data: <iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none found within TX:0: <iframe \\x0a\\x09\\x09height=\\x220\\x22 width=\\x220\\x22 style=\\x22display:none"] [severity "ERROR"] [tag "CWAF"] [tag "FilterInFrame"] [hostname "web.site"] [uri "/index.php"] [unique_id "ZGOtGn8OVNnjiBWdgt2VdgADRxI"]
[Tue May 16 18:19:38.865218 2023] [:error] [pid 1796577:tid 140122167179008] [client CLIENT.IP.ADDRESS:55326] [client CLIENT.IP.ADDRESS] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|web.site|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "web.site"] [uri "/index.php"] [unique_id "ZGOtGn8OVNnjiBWdgt2VdgADRxI"]
Here is the content of the config file /etc/modsecurity/comodo/19_Outgoing_FilterInFrame.conf:
SecRule RESPONSE_BODY "<[^a-zA-Z0-9_]{0,}iframe[^>]{1,}?\bstyle[^a-zA-Z0-9_]{0,}?=[^a-zA-Z0-9_]{0,}?[\x22']{0,1}[^a-zA-Z0-9_]{0,}?\bdisplay\b[^a-zA-Z0-9_]{0,}?:[^a-zA-Z0-9_]{0,}?\bnone\b" \
"id:214540,chain,msg:'COMODO WAF: Possibly malicious iframe tag in output||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:replaceComments,rev:5,severity:3,tag:'CWAF',tag:'FilterInFrame'"
SecRule &REQUEST_COOKIES:sugar_user_theme "@eq 0" \
"chain,t:none"
SecRule TX:0 "!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=" \
"t:none,t:urlDecodeUni"
SecRule RESPONSE_BODY "(?i:<[\t\n\r ]{0,}IFRAME[\t\n\r ]{0,}?[^>]{0,}?src=\x22javascript:)" \
"id:214550,msg:'COMODO WAF: Malicious iframe+javascript tag in output||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:1,severity:3,tag:'CWAF',tag:'FilterInFrame'"
SecMarker SECMARKER_214400
As you can see, there is a "whitelist" for googletagmanager and soundcloud but it seems is not working. The mentioned iframe on the website should be the following:
<!-- Google Tag Manager (noscript) -->
<noscript><iframe height="0" width="0" style="display:none;visibility:hidden" data-src="https://www.googletagmanager.com/ns.html?id=GTM-XXXZZZ" class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
I don't understand why the following "whitelist rule" doesnt' work, can you help me out?
SecRule TX:0 "!@rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=" \
"t:none,t:urlDecodeUni"
Thank you for your time
Tried of editing the regexp. I expected that the "whitelist" rule works.
答案1
得分: 1
首先,你不能像这样匹配TX:0,它不会按你期望的方式工作。看一下规则214540链中的第一个SecRule - 这就是你需要匹配的,即RESPONSE_BODY。
我建议使用这个排除规则,但请注意,它会在包含Google iframe的所有页面上完全禁用规则214540:
SecRule RESPONSE_BODY "@contains https://www.googletagmanager.com/ns.html" \
"id:138,\
phase:4,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=214540;RESPONSE_BODY"
英文:
First of all, you can't match against TX:0 like this, it will never work as you expect. Look at the first SecRule in the chain of rule 214540 - that is what you need to match i. e. RESPONSE_BODY.
I suggest this exclusion rule but note that it will completely disable rule 214540 on all pages which contains your Google iframe:
SecRule RESPONSE_BODY "@contains https://www.googletagmanager.com/ns.html" \
"id:138,\
phase:4,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=214540;RESPONSE_BODY"
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论