Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
False positive for creating Moodle Course - Description field
See original GitHub issueDescription
Message: Warning. detected XSS using libinjection. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [l
ine "56"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:summary_editor[text]: <p dir=\x22ltr\x22
style=\x22text-align: left;\x22><strong>Test for WAF</strong></p>"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language
-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Message: Warning. Pattern match "(?i)(?:(?:<\\w[\\s\\S]*[\\s/]|['\"](?:[\\s\\S]*[\\s/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|live
ry(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange| ..." at ARGS:summary_editor[te
xt]. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "175"] [id "941160"] [msg "NoScript XSS In
jectionChecker: HTML Injection"] [data "Matched Data: <p dir=\x22ltr\x22 style= found within ARGS:summary_editor[text]: <p dir=\x22ltr\x22 style=\x22text-alig
n: left;\x22><strong>Test for WAF</strong></p>"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "plat
form-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Message: Warning. Unconditional match in SecAction. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "96"]
[id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=10, detection=10, per_pl=10-0-0-0, threshold=20) - (Outbound Scores: blocking=0, detection=0, p
er_pl=0-0-0-0, threshold=20) - (SQLI=0, XSS=10, RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0)"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "reporting"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client IPv6] ModSecurity: Warning. detected XSS using libinjecti
on. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [msg "XSS Attack Detect
ed via libinjection"] [data "Matched Data: XSS data found within ARGS:summary_editor[text]: <p dir=\\\\x22ltr\\\\x22 style=\\\\x22text-align: left;\\\\x22><st
rong>Test for WAF</strong></p>"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [ta
g "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "DOMAIN"] [uri "/moodle/moodle/course/edit.ph
p"] [unique_id "YpWsZoHqbzV6-5op7MRNLQAAARA"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client IPv6] ModSecurity: Warning. Pattern match "(?i)(?:(?:<\\\
\\\\\w[\\\\\\\\s\\\\\\\\S]*[\\\\\\\\s/]|['\\\\"](?:[\\\\\\\\s\\\\\\\\S]*[\\\\\\\\s/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery
(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange| ..." at ARGS:summary_editor[text
]. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "175"] [id "941160"] [msg "NoScript XSS Inje
ctionChecker: HTML Injection"] [data "Matched Data: <p dir=\\\\x22ltr\\\\x22 style= found within ARGS:summary_editor[text]: <p dir=\\\\x22ltr\\\\x22 style=\\\
\x22text-align: left;\\\\x22><strong>Test for WAF</strong></p>"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-mu
lti"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "DOMAIN"] [ur
i "/moodle/moodle/course/edit.php"] [unique_id "YpWsZoHqbzV6-5op7MRNLQAAARA"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client IPv6] ModSecurity: Warning. Unconditional match in SecAct
ion. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/RESPONSE-980-CORRELATION.conf"] [line "96"] [id "980170"] [msg "Anomaly Scores: (Inbound S
cores: blocking=10, detection=10, per_pl=10-0-0-0, threshold=20) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=20) - (SQLI=0, XSS=10,
RFI=0, LFI=0, RCE=0, PHPI=0, HTTP=0, SESS=0)"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "reporting"] [hostname "DOMAIN"] [uri "/moodle/moodle/course
/edit.php"] [unique_id "YpWsZoHqbzV6-5op7MRNLQAAARA"]
Apache-Handler: application/x-httpd-php73
Stopwatch: 1653976166645471 414603 (- - -)
Stopwatch2: 1653976166645471 414603; combined=40900, p1=1757, p2=37374, p3=363, p4=729, p5=677, sr=200, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/); OWASP_CRS/4.0.0-rc1.
Server: Apache
Engine-Mode: "ENABLED"
Moodle Version: 4.0.1+ (Build: 20220527)
reproduce
.../mod_security/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "175"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <p dir=\x22ltr\x22 style= found within ARGS:summary_editor[text]: <p dir=\x22ltr\x22 style=\x22text-align: left;\x22>Test my cat course</p>"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0-rc1"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"]
Audit Logs / Triggered Rule Numbers
Blocked by: 941100 and 941160
Your Environment
- CRS version (e.g., v3.2.0): 4.0.0-rc1
- Paranoia level setting: 1
- ModSecurity version (e.g., 2.9.3): 2.9.5
- Web Server and version (e.g., apache 2.4.41): 2.4.53
- Operating System and version: FreeBSD
Confirmation
- I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Issue Analytics
- State:
- Created a year ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
My Total developer rant with the Events API - Moodle.org
What is wrong with using information from other field to make the description of the event more rich? Provide usable examples of events...
Read more >Moodle in English: course custom fields are not displayed
I don't know what is missing to display course custom fields. I added course custom fields to display course duration, about instructor, ...
Read more >can a module belong to more than one course? - Moodle.org
Hi,. I am new to Moodle and need help on this. How can a module "belong" to more than one course? The structure...
Read more >Moodle in English: Profile Field Character Length
OpenVAS False positive vulnerability on Moodle upgrade ... I've repurposed the 'Phone2' user profile field to import Team Names from LDAP.
Read more >Quiz settings - MoodleDocs
Creating a new quiz is a two-step process. In the first step, you create the quiz activity and set its options which specify...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Hi @franbuehler
Yes, sure this helps 👍
Will look into it and may create a Moodle plugin if there are many FP. Do you know if Moodle and the CRS work well together?
Sure (problem which you encountered isn’t covered):