ModSecurity: Access denied with code 403 (phase 2). Pattern match … Only on ONE user has issues

huangapple
go评论51阅读模式
英文:

ModSecurity: Access denied with code 403 (phase 2). Pattern match ... Only on ONE user has issues

问题

不是第一个遇到ModSecurity: Access denied with code 403 (phase 2)....问题的人。

但问题是,我有一个服务器,多个网站,多个Webmail用户,没有人遇到任何问题。只有一个用户在通过Webmail发送电子邮件时一直遇到问题。

完整的错误信息如下:

[client 86.xx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). 
Pattern match "(?i)((?:\\bx(?:link:href|html|mlns)|!ENTITY\\b.*?
\\b(?:SYSTEM|PUBLIC)|\\bdata:text\\/html))" at ARGS:Parameters. 

下载地址


 [id "213060"] [rev "5"] [msg "COMODO WAF: XSS Filter - 
Category 3: Attribute Vector||mail.mywebsite.nl|F|2"] [severity "CRITICAL"]
[tag "CWAF"] [tag "XSS"] [hostname "mail.mywebsite.nl"] [uri "/"] [unique_id "ZJqH1d8z978UF9Ye1LgFlwAAAEw"],
referer: https://mail.mywebsite.nl/

我已经多次将他的(动态)IP地址列入白名单,然后他可以发送一些邮件,直到他的新动态电子邮件地址再次被列入黑名单。

由于它涉及到XSS(我几乎没有经验),是否可能是他的浏览器插件有问题,例如,我的服务器正在阻止它?对于如何在我的一面修复此问题或告诉他可能是他的问题,您有什么想法?没有其他用户(我真的有很多!)在Webmail上遇到任何问题!

所以,我不确定这是服务器问题还是这个特定用户在他的计算机上有问题...

[编辑]
ID 213060 提供了以下信息:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!ARGS:/jform\[params\]\[offcanvas_topmod_style\]/|!ARGS:/jform\[params\]\[djmegamenu-module_style\]/|!ARGS:/jform\[params\]\[offcanvas_botmod_style\]/ "(?i)((?:\bx(?:link:href|html|mlns)|!ENTITY\b.*?\b(?:SYSTEM|PUBLIC)|\bdata:text\/html))" \
"id:213060,msg:'COMODO WAF: XSS Filter - Category 3: Attribute Vector||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeNulls,t:removeComments,t:compressWhiteSpace,rev:5,severity:2,tag:'CWAF',tag:'XSS'"

[另一个编辑:]

--8f8b2a62-A--
[27/Jun/2023:08:39:04.952346 +0200] ZJqECGcNX@kM-QmM3hU2ywAAABM 86.client ip 40330 85.server ip 7081
--8f8b2a62-B--
POST /?/Api/ HTTP/1.0
Host: mail.mywebsite.nl
X-Real-IP: 86.client ip
Connection: close
Content-Length: 8345
sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Microsoft Edge";v="114"
x-deviceid: 04778820-c6fc-41c1-9d22-3e6f995c03bf
sec-ch-ua-mobile: ?0
authorization: Bearer E1z-PplCaKTj68q73HG0bkSPgUCo_2KSStng_bk5JhGuF_IY5ctiCgm6NHBzru9XB7rvVwBDpBRndZp485pIijLk8pAd7ca5EvpGQF0p312jjCfvYcsy7yl3LDmHNWF5hGxK0PuUn5xOj4PRD7x0tnvlcOW-1IKInsitA5l4
<details>
<summary>英文:</summary>
Not the first one with ModSecurity: `Access denied with code 403 (phase 2)....` issues.
But the thing is, I have a server, multiple websites, multiple webmail users and nobody is having any issues. There is this one user that keeps having issues sending email via webmail.
The full error is:
[client 86.xx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). 
Pattern match &quot;(?i)((?:\\\\bx(?:link:href|html|mlns)|!ENTITY\\\\b.*?
\\\\b(?:SYSTEM|PUBLIC)|\\\\bdata:text\\\\/html))&quot; at ARGS:Parameters. 

下载地址


 [id &quot;213060&quot;] [rev &quot;5&quot;] [msg &quot;COMODO WAF: XSS Filter - 
Category 3: Attribute Vector||mail.mywebsite.nl|F|2&quot;] [severity &quot;CRITICAL&quot;]
[tag &quot;CWAF&quot;] [tag &quot;XSS&quot;] [hostname &quot;mail.mywebsite.nl&quot;] [uri &quot;/&quot;] [unique_id &quot;ZJqH1d8z978UF9Ye1LgFlwAAAEw&quot;],
referer: https://mail.mywebsite.nl/
I&#39;ve whitelisted his (dynamic) IP address(es) multiple times, and then he can send some mail, up until his new dynamic email address is blacklisted once again.
Since it is referring to XSS, (which I hardly have any experience with), could it be that he has a faulty browser plugin for example that my server is blocking? Any thoughts on how to fix this on my side OR to tell him that it might be his fault? Non of the other users (and I really have plenty!) are facing any issues via webmail!
So, I&#39;m not sure if this is a server issue or that this specific user has some issues on his computer...
[edit]
ID 213060 gives the following:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!ARGS:/jform\[params\]\[offcanvas_topmod_style\]/|!ARGS:/jform\[params\]\[djmegamenu-module_style\]/|!ARGS:/jform\[params\]\[offcanvas_botmod_style\]/ &quot;@rx (?i)((?:\bx(?:link:href|html|mlns)|!ENTITY\b.*?\b(?:SYSTEM|PUBLIC)|\bdata:text\/html))&quot; \
&quot;id:213060,msg:&#39;COMODO WAF: XSS Filter - Category 3: Attribute Vector||%{tx.domain}|%{tx.mode}|2&#39;,phase:2,deny,status:403,log,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:removeNulls,t:removeComments,t:compressWhiteSpace,rev:5,severity:2,tag:&#39;CWAF&#39;,tag:&#39;XSS&#39;&quot;
[another edit:]
--8f8b2a62-A--
[27/Jun/2023:08:39:04.952346 +0200] ZJqECGcNX@kM-QmM3hU2ywAAABM 86.client ip 40330 85.server ip 7081
--8f8b2a62-B--
POST /?/Api/ HTTP/1.0
Host: mail.mywebsite.nl
X-Real-IP: 86.client ip
Connection: close
Content-Length: 8345
sec-ch-ua: &quot;Not.A/Brand&quot;;v=&quot;8&quot;, &quot;Chromium&quot;;v=&quot;114&quot;, &quot;Microsoft Edge&quot;;v=&quot;114&quot;
x-deviceid: 04778820-c6fc-41c1-9d22-3e6f995c03bf
sec-ch-ua-mobile: ?0
authorization: Bearer E1z-PplCaKTj68q73HG0bkSPgUCo_2KSStng_bk5JhGuF_IY5ctiCgm6NHBzru9XB7rvVwBDpBRndZp485pIijLk8pAd7ca5EvpGQF0p312jjCfvYcsy7yl3LDmHNWF5hGxK0PuUn5xOj4PRD7x0tnvlcOW-1IKInsitA5l4VCWTN04iFeQLG22gwRplcDfi-Kq33fwGDDP0yp7bYPq3vA0oyQv_9rWDQN3xF0MOasocYqA4VfIOd2wv31rxoTUj71gzuu6OELNfQSfTBbuUsE3K80I
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.58
content-type: application/x-www-form-urlencoded; charset=UTF-8
accept: application/json, text/javascript, */*; q=0.01
x-requested-with: XMLHttpRequest
x-client: WebClient
sec-ch-ua-platform: &quot;Windows&quot;
origin: https://mail.mywebsite.nl
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://mail.mywebsite.nl/
accept-encoding: gzip, deflate, br
accept-language: nl,en;q=0.9,en-GB;q=0.8,en-US;q=0.7
cookie: AuthToken=E1z-PplCaKTj68q73HG0bkSPgUCo_2KSStng_bk5JhGuF_IY5ctiCgm6NHBzru9XB7rvVwBDpBRndZp485pIijLk8pAd7ca5EvpGQF0p312jjCfvYcsy7yl3LDmHNWF5hGxK0PuUn5xOj4PRD7x0tnvlcOW-1IKInsitA5l4VCWTN04iFeQLG22gwRplcDfi-Kq33fwGDDP0yp7bYPq3vA0oyQv_9rWDQN3xF0MOasocYqA4VfIOd2wv31rxoTUj71gzuu6OELNfQSfTBbuUsE3K80I; DeviceId=04778820-c6fc-41c1-9d22-3e6f995c03bf; aft-cache-ctrl=1
--554ba553-C--
Module=Mail&amp;Method=SendMessage&amp;Parameters=%7B%22AccountID%22%3A13%2C%22IdentityID%22%3A164%2C%22AliasID%22%3A%22%22%2C%22FetcherID%22%3A%22%22%2C%22DraftInfo%22%3A%5B%22reply%22%2C%22175%22%2C%22INBOX%22%5D%2C%22DraftUid%22%3A%22%22%2C%22To%22%3A%22user%40personalmail.nl%22%2C%22Cc%22%3A%22%22%2C%22Bcc%22%3A%22%22%2C%22Subject%22%3A%22RE%5B2%5D%3A+trainen%22%2C%22Text%22%3A%22%3Cdiv+data-crea%3D%5C%22font-wrapper%5C%22+style%3D%5C%22font-family%3A+Tahoma%2C+sans-serif%3B+font-size%3A+16px%3B+direction%3A+ltr%5C%22%3E%3Cdiv+style%3D%5C%22font-family%3A+Tahoma%3B+font-size%3A+16px%5C%22%3E%3C%2Fdiv%3Edag+Kees%2C%3Cdiv%3E%3Cbr%3E%3C%2Fdiv%3E%3Cdiv%3EFijn+dat+het+trainen+je+bevalt.%3C%2Fdiv%3E%3Cdiv%3E%3Cbr%3E%3C%2Fdiv%3E%3Cdiv%3EJe+afwezigheid+volgende+week+is+genoteerd.%26nbsp%3B+Bedankt+voor+het+tijdig+doorgeven.%3C%2Fdiv%3E%3Cdiv%3E%3Cbr%3E%3Cbr%3E%3Cdiv%3E%3Cdiv+data-crea%3D%5C%22font-wrapper%5C%22+style%3D%5C%22font-family%3A+Tahoma%2C+sans-serif%3B+font-size%3A+16px%3B+direction%3A+ltr%5C%22%3EMet+vriendelijke+groeten%2C%3Cdiv%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cbr%3E%3C%2Fdiv%3E%3Cdiv%3ECees+van+lastname%3C%2Fdiv%3E%3Cdiv%3ECo%C3%B6rdinator+Sport+Overdag+ttv+MySportclub%3C%2Fdiv%3E%3Cdiv%3Email%3A+faultyaddress%40mywebsite.nl%3C%2Fdiv%3E%3Cdiv%3E06-xxxxxxxx%3C%2Fdiv%3E%3Cdiv%3Epriv%C3%A9+mail%3A+user%40personalmail.nl%3C%2Fdiv%3E%3Cdiv%3E%3Cbr%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cfont+size%3D%5C%222%5C%22%3EAls+je+geen+mail+meer+wil+ontvangen+van+SportOverdag+van+ttv+MySportclub%2C+laat+me+dat+dan+even+weten.%3C%2Ffont%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%3E%3Cbr%3E%3Cdiv+data-anchor%3D%5C%22reply-title%5C%22%3EOp+ma.%2C+jun.+26%2C+2023+om+14%3A28%2C+user%40personalmail.nl+schreef%3A%3C%2Fdiv%3E%3Cblockquote%3E%3Cdiv+data-x-div-type%3D%5C%22html%5C%22+xmlns%3Av%3D%5C%22urn%3Aschemas-microsoft-com%3Avml%5C%22+xmlns%3Ao%3D%5C%22urn%3Aschemas-microsoft-com%3Aoffice%3Aoffice%5C%22+xmlns%3Aw%3D%5C%22urn%3Aschemas-microsoft-com%3Aoffice%3Aword%5C%22+xmlns%3Am%3D%5C%22http%3A%2F%2Fschemas.microsoft.com%2Foffice%2F2004%2F12%2Fomml%5C%22+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2FTR%2FREC-html40%5C%22%3E%3Cdiv+data-x-div-type%3D%5C%22body%5C%22+lang%3D%5C%22NL%5C%22+link%3D%5C%22%230563C1%5C%22+vlink%3D%5C%22%23954F72%5C%22+style%3D%5C%22word-wrap%3A+break-word%5C%22%3E%3Cdiv%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3ECees+%2Cdankjewel%2C%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3EDonderdag+a.s.+ben+ik+er+wel+en+leuk+om+tegen+Moh+te+oefenen%2C%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3EAfgelopen+donderdag+was+erg+goed+om+tegen+AH-Tong+te+hebben+getraind%E2%80%A6..+%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3E%26nbsp%3B%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3EVolgende+week+donderdag+6+juli+ben+ik+verhinderd%3B+dus+dan+niet+inplannen+voor+training+%26nbsp%3B%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3EGroet%2C+%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3EKees+%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cspan+style%3D%5C%22mso-fareast-language%3A+EN-US%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cdiv%3E%3Cdiv+style%3D%5C%22border%3A+none%3Bborder-top%3A+solid+%23E1E1E1+1.0pt%3Bpadding%3A+3.0pt+0cm+0cm+0cm%5C%22%3E%3Cb%3EVan%3A%3C%2Fb%3E+Cees+van+lastname+%26lt%3Bfaultyaddress%40mywebsite.nl%26gt%3B+%3Cbr%3E%3Cb%3EVerzonden%3A%3C%2Fb%3E+maandag+26+juni+2023+13%3A44%3Cbr%3E%3Cb%3EAan%3A%3C%2Fb%3E+Sport+Overdag+%26lt%3Bfaultyaddress%40mywebsite.nl%26gt%3B%3Cbr%3E%3Cb%3EOnderwerp%3A%3C%2Fb%3E+trainen%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cdiv%3E%3Cdiv%3E%3Cdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3EZie+bijgevoegd+schema.%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3ETot+donderdag.%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3EMet+vriendelijke+groeten%2C%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3ECees+van+lastname%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3ECo%C3%B6rdinator+Sport+Overdag+ttv+MySportclub%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3Email%3A+%3Ca+href%3D%5C%22mailto%3Afaultyaddress%40mywebsite.nl%5C%22+target%3D%5C%22_blank%5C%22+tabindex%3D%5C%22-1%5C%22+rel%3D%5C%22external%5C%22+class%3D%5C%22external%5C%22%3Efaultyaddress%40mywebsite.nl%3C%2Fa%3E%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3E06-xxxxxxxx%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3Epriv%C3%A9+mail%3A+%3Ca+href%3D%5C%22mailto%3Auser%40personalmail.nl%5C%22+target%3D%5C%22_blank%5C%22+tabindex%3D%5C%22-1%5C%22+rel%3D%5C%22external%5C%22+class%3D%5C%22external%5C%22%3Euser%40personalmail.nl%3C%2Fa%3E%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3Cdiv%3E%3Cspan+style%3D%5C%22font-size%3A+10.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3EAls+je+geen+mail+meer+wil+ontvangen+van+SportOverdag+van+ttv+MySportclub%2C+laat+me+dat+dan+even+weten.%3C%2Fspan%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cspan+style%3D%5C%22font-size%3A+12.0pt%3Bfont-family%3A+%26quot%3BTahoma%26quot%3B%2Csans-serif%5C%22%3E%3C%2Fspan%3E%3Cbr+%2F%3E%26nbsp%3B%3Cbr+%2F%3E%3Cbr+%2F%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fblockquote%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%22%2C%22IsHtml%22%3Atrue%2C%22Importance%22%3A3%2C%22SendReadingConfirmation%22%3Afalse%2C%22Attachments%22%3A%7B%7D%2C%22InReplyTo%22%3A%22%3C000201d9a829%24ad56e960%240804bc20%24%40personalmail.nl%3E%22%2C%22References%22%3A%22%3C4bdda8120d59524b9456c25f482efcce%40mail.mywebsite.nl%3E+%3C000201d9a829%24ad56e960%240804bc20%24%40personalmail.nl%3E%22%2C%22Sensitivity%22%3A0%2C%22Method%22%3A%22SendMessage%22%2C%22ShowReport%22%3Atrue%2C%22SentFolder%22%3A%22INBOX.Sent%22%7D&amp;TenantName=Default
--554ba553-F--
HTTP/1.1 403 Forbidden
Last-Modified: Sun, 12 Mar 2023 15:15:00 GMT
ETag: &quot;31b-5f6b57545f770&quot;
Accept-Ranges: bytes
Content-Length: 795
Cache-Control: s-maxage=10
Connection: close
Content-Type: text/html
--8f8b2a62-H--
Message: Access denied with code 403 (phase 2). Pattern match &quot;(?i)((?:\\bx(?:link:href|html|mlns)|!ENTITY\\b.*?\\b(?:SYSTEM|PUBLIC)|\\bdata:text\\/html))&quot; at ARGS:Parameters. 
下载地址
 
 [id &quot;213060&quot;] [rev &quot;5&quot;] [msg &quot;COMODO WAF: XSS Filter - Category 3: Attribute Vector||mail.mywebsite.nl|F|2&quot;] [severity &quot;CRITICAL&quot;] [tag &quot;CWAF&quot;] [tag &quot;XSS&quot;]
Apache-Error: 
下载地址
 
 [level 3] [client 86.xx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Pattern match &quot;(?i)((?:\\\\\\\\bx(?:link:href|html|mlns)|!ENTITY\\\\\\\\b.*?\\\\\\\\b(?:SYSTEM|PUBLIC)|\\\\\\\\bdata:text\\\\\\\\/html))&quot; at ARGS:Parameters. 
下载地址
 
 [id &quot;213060&quot;] [rev &quot;5&quot;] [msg &quot;COMODO WAF: XSS Filter - Category 3: Attribute Vector||mail.mywebsite.nl|F|2&quot;] [severity &quot;CRITICAL&quot;] [tag &quot;CWAF&quot;] [tag &quot;XSS&quot;] [hostname &quot;mail.mywebsite.nl&quot;] [uri &quot;/&quot;] [unique_id &quot;ZJqECGcNX@kM-QmM3hU2ywAAABM&quot;]
Action: Intercepted (phase 2)
Stopwatch: 1687847944917965 34695 (- - -)
Stopwatch2: 1687847944917965 34695; combined=28524, p1=593, p2=27771, p3=0, p4=0, p5=159, sr=124, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: &quot;ENABLED&quot;
</details>
# 答案1
**得分**: 1
白名单客户端通常不是一个好主意(在大多数情况下)。
您应该进行排除,例如:

SecRule REQUEST_FILENAME "@strEq /"
"id:1000,
phase:1,
pass,
t:none,
nolog,
ctl:ruleRemoveTargetById=213060;ARGS:Parameters"


检查此规则中的 `uri`(它似乎不在您的日志中),进行修复,并将此排除规则**置于**上面的规则之前。如果您认为提到的运算符(`@strEq`)不够好,您也可以更改它。
这将创建一个排除规则:如果URI匹配,那么在规则213060的情况下,将删除目标`ARGS:Parameters`。
<details>
<summary>英文:</summary>
Whitelisting the client(s) is not a good idea (in much cases).
You should make an exclusion, for eg.:

SecRule REQUEST_FILENAME "@strEq /"
"id:1000,
phase:1,
pass,
t:none,
nolog,
ctl:ruleRemoveTargetById=213060;ARGS:Parameters"


Check the `uri` in this rule (it does not seem in your log), fix it, and put this exclusion rule **BEFORE** the rule above. You can change the operator (`@strEq`) too if you think the mentioned one is not good enough.
This will make an exclusion: if the URI matches, then target `ARGS:Parameters` will be removed in case of rule 213060.
</details>

huangapple
  • 本文由 发表于 2023年6月29日 00:50:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/76575241.html
  • http-status-code-403
  • mod-security
  • xss
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定