Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Nextcloud 20 App firstrunwizard

See original GitHub issue

Description

The nextcloud app firstrunwizard is shown every time, as the “finish” button doesn’t work.

Rules

SecAction \
    "id:900130,\
     phase:1,\
     nolog,\
     pass,\
     t:none,\
     setvar:tx.crs_exclusions_nextcloud=1"

Nginx error log

modsec    | 2021/01/09 14:29:35 [info] 10#0: *2 ModSecurity: Warning. Matched "Operator `Within' with parameter `GET HEAD POST OPTIONS' against variable `REQUEST_METHOD' (Value: `DELETE' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "27"] [id "911100"] [rev ""] [msg "Method is not allowed by policy"] [data "DELETE"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "172.29.0.3"] [uri "/apps/firstrunwizard/wizard"] [unique_id "161020257565.692638"] [ref "v0,6"], client: 172.29.0.1, server: _, request: "DELETE /apps/firstrunwizard/wizard HTTP/2.0", host: "localhost"
modsec    | 2021/01/09 14:29:35 [error] 10#0: *2 [client 172.29.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.29.0.3"] [uri "/apps/firstrunwizard/wizard"] [unique_id "161020257565.692638"] [ref ""], client: 172.29.0.1, server: _, request: "DELETE /apps/firstrunwizard/wizard HTTP/2.0", host: "localhost"

Audit Logs / Triggered Rule Numbers

---yZ2UmJiC---A--
[09/Jan/2021:14:29:35 +0000] 161020257565.692638 172.29.0.1 55698 172.29.0.3 443
---yZ2UmJiC---B--
DELETE /apps/firstrunwizard/wizard HTTP/2.0
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
sec-gpc: 1
origin: https://localhost
sec-ch-ua-mobile: ?0
dnt: 1
requesttoken: Ew7xUMV36jHu7/xS+uNnK3N684WcCpXl4XLuWkfbbQs=:JH2cOLwPi3OggrcGlIYjUSkikPbLTd6A1wCEEgLoC2E=
accept: application/json, text/plain, */*
sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"
sec-fetch-dest: empty
sec-fetch-mode: cors
host: localhost
accept-encoding: gzip, deflate, br
cookie: oc_sessionPassphrase=t0cxXcrd1WSryD8uomKlkzYiYQ32tdwHqTTWplol0n3tnxztn4%2F5CMaZ%2FPpLzn4KrAdMcDGfHUQlO0%2FOUwBFoXi1GSe3mvSxi9p6IPKQNguyptUMoxlHYRi%2FCiHUyBvm; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; ocxxrcdp6ovm=6bf91525a95b2c4d67a95fe19b6432e2; ocdc9y3dcheu=d64edd1c2a8a96a076a3cf2c7c1ba339; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc0ujuahlr4g=9438066fcfb3601cf2ef1431de40dd06; nc_username=admin; oc2ea260wouq=076bfb8524b383f3c84590fedd3c6bbe; oc79e823800o=c3fc8f97ed63491e296bc910b93a5c31; ocdmfwskk73x=b2d3f507f9812d2ddb6ed75c2ce74f56; oc6md82om6ac=102ce42f1a929d5f22165da2ca6e3868; ocnppnofgauw=d7f1298e5f633efb1a229701121962c1; nc_token=CSvO1i2Oosb%2Fs1kjInVXqgah6mnWwITh; nc_session_id=d7f1298e5f633efb1a229701121962c1
accept-language: en-GB,en;q=0.9

---yZ2UmJiC---D--

---yZ2UmJiC---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body bgcolor="white">\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---yZ2UmJiC---F--
HTTP/2.0 403
Server: nginx
Date: Sat, 09 Jan 2021 14:29:35 GMT
Content-Length: 564
Content-Type: text/html
Connection: close

---yZ2UmJiC---H--
ModSecurity: Warning. Matched "Operator `Within' with parameter `GET HEAD POST OPTIONS' against variable `REQUEST_METHOD' (Value: `DELETE' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "27"] [id "911100"] [rev ""] [msg "Method is not allowed by policy"] [data "DELETE"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [hostname "172.29.0.3"] [uri "/apps/firstrunwizard/wizard"] [unique_id "161020257565.692638"] [ref "v0,6"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/modsecurity/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.29.0.3"] [uri "/apps/firstrunwizard/wizard"] [unique_id "161020257565.692638"] [ref ""]

---yZ2UmJiC---I--

---yZ2UmJiC---J--

---yZ2UmJiC---Z--

Your Environment

CRS version (e.g., v3.2.0): 3.3.0 with nextcloud exclusion v.3.4
Paranoia level setting: 3
ModSecurity version (e.g., 2.9.3): 3.0.4
Web Server and version (e.g., apache 2.4.41): nginx/1.14.1
Operating System and version: CentOS 8.3.2011

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Issue Analytics

State:
Created 3 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

1reaction

keachicommented, Jan 15, 2021

On my native installation I followed the pretty url setup, that’s why I don’t have the index.php within my urls. On container based setups, the configuration for pretty urls is done automatically within the container. See apache-pretty-urls.config.php. As this is the official supported container, and there’s a official documentation how to remove the index.php from the url, I would like to see support for that in ModSecurity.

0reactions

franbuehlercommented, May 10, 2021

As stated in comment https://github.com/coreruleset/coreruleset/issues/1973#issuecomment-821949010 we can close this issue and issue #1974 in favor of PR #1975.

Thanks a lot for this very welcome contribution!!