WordPress /wp-admin/site-health.php triggers

Description

Trying to open /wp-admin/site-health.php triggers a 403 despite being a legit request; despite the WP exception rules being enabled in /etc/modsecurity/crs/crs-setup.conf:

SecAction  "id:900130,  phase:1,  nolog,  pass,  t:none,  setvar:tx.crs_exclusions_wordpress=1"

Audit Logs / Triggered Rule Numbers

Message: Warning. Pattern match "(?i)(?:System\\.Data\\.OleDb\\.OleDbException|\\[Microsoft\\]\\[ODBC SQL Server Driver\\]|\\[Macromedia\\]\\[SQLServer JDBC Driver\\]|\\[SqlException|System\\.Data\\.SqlClient\\.SqlException|Unclosed quotation mark after the character string|'80040e14' ..." at RESPONSE_BODY. [file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"] [line "340"] [id "951220"] [msg "mssql SQL Information Leakage"] [data "Matched Data: SQL server is up to date\x22,\x22status\x22:\x22good\x22,\x22badge\x22:{\x22label\x22:\x22Performance\x22,\x22color\x22:\x22blue\x22},\x22description\x22:\x22<p>The SQL server is a required piece of software for the database WordPress uses to store all your site&#8217;s content and settings.<\x5c/p>\x22,\x22actions\x22:\x22<p><a href=\x5c\x22https:\x5c/\x5c/wordpress.org\x5c/about\x5c/requirements\x5c/\x5c\x22 target=\x5c\x22_blank\x5c\x22 rel=\x5c\x22noopener\x5c\x22>Learn more about what ..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "applic
Message: Warning. Pattern match "(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\$_(?:(?:pos|ge)t|session))\\b" at RESPONSE_BODY. [file "/usr/share/modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "72"] [id "953110"] [msg "PHP source code leakage"] [data "Matched Data: session_start found within RESPONSE_BODY: <!DOCTYPE html>\x0a<html class=\x22wp-toolbar\x22\x0a\x09lang=\x22en-GB\x22>\x0a<head>\x0a<meta http-equiv=\x22Content-Type\x22 content=\x22text/html; charset=UTF-8\x22 />\x0a\x09<title>Site Health Status &lsaquo; mysite.com &#8212; WordPress</title>\x0a<script type=\x22text/javascript\x22>\x0aaddLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload..."] [severity "ERROR"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "
Message: Access denied with code 403 (phase 4). Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "76"] [id "959100"] [msg "Outbound Anomaly Score Exceeded (Total Score: 9)"] [ver "OWASP_CRS/3.3.0"] [tag "anomaly-evaluation"]
Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "102"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 9): individual paranoia level scores: 9, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 2a0b:f4c2:1::1] ModSecurity: Warning. Pattern match "(?i)(?:System\\\\\\\\.Data\\\\\\\\.OleDb\\\\\\\\.OleDbException|\\\\\\\\[Microsoft\\\\\\\\]\\\\\\\\[ODBC SQL Server Driver\\\\\\\\]|\\\\\\\\[Macromedia\\\\\\\\]\\\\\\\\[SQLServer JDBC Driver\\\\\\\\]|\\\\\\\\[SqlException|System\\\\\\\\.Data\\\\\\\\.SqlClient\\\\\\\\.SqlException|Unclosed quotation mark after the character string|'80040e14' ..." at RESPONSE_BODY. [file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"] [line "340"] [id "951220"] [msg "mssql SQL Information Leakage"] [data "Matched Data: SQL server is up to date\\\\x22,\\\\x22status\\\\x22:\\\\x22good\\\\x22,\\\\x22badge\\\\x22:{\\\\x22label\\\\x22:\\\\x22Performance\\\\x22,\\\\x22color\\\\x22:\\\\x22blue\\\\x22},\\\\x22description\\\\x22:\\\\x22<p>The SQL server is a required piece of software for the database WordPress uses to store all your site&#8217;s content and settings.<\\\\x5c/p>\\\\x22,\\\\x22actions\\\\x22:\\\\x22<p><a href=\\\\x5c\\\\x22https:\\\\x5c/\\\\x5c/wordpress.org\\\\x5c/about\\\\x5c/requirements\\\\x5c/\\\\x5c\\\\x22 target=\\\\x5c\\\\x22_blank\\\\x5c\\\\x22 rel=\\\\x5c\\\\x22noopener\\\\x5c\\\\x22>Learn more about what ..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "applic [hostname "mysite.com"] [uri "/wp-admin/site-health.php"] [unique_id "YNsA-Eye9KCGHwEDyWp6iAAAAAw"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 2a0b:f4c2:1::1] ModSecurity: Warning. Pattern match "(?:\\\\\\\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\\\\\\\\$_(?:(?:pos|ge)t|session))\\\\\\\\b" at RESPONSE_BODY. [file "/usr/share/modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "72"] [id "953110"] [msg "PHP source code leakage"] [data "Matched Data: session_start found within RESPONSE_BODY: <!DOCTYPE html>\\\\x0a<html class=\\\\x22wp-toolbar\\\\x22\\\\x0a\\\\x09lang=\\\\x22en-GB\\\\x22>\\\\x0a<head>\\\\x0a<meta http-equiv=\\\\x22Content-Type\\\\x22 content=\\\\x22text/html; charset=UTF-8\\\\x22 />\\\\x0a\\\\x09<title>Site Health Status &lsaquo; mysite.com &#8212; WordPress</title>\\\\x0a<script type=\\\\x22text/javascript\\\\x22>\\\\x0aaddLoadEvent = function(func){if(typeof jQuery!=='undefined')jQuery(document).ready(func);else if(typeof wpOnload!=='function'){wpOnload=func;}else{var oldonload..."] [severity "ERROR"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag " [hostname "mysite.com"] [uri "/wp-admin/site-health.php"] [unique_id "YNsA-Eye9KCGHwEDyWp6iAAAAAw"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 2a0b:f4c2:1::1] ModSecurity: Access denied with code 403 (phase 4). Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "76"] [id "959100"] [msg "Outbound Anomaly Score Exceeded (Total Score: 9)"] [ver "OWASP_CRS/3.3.0"] [tag "anomaly-evaluation"] [hostname "mysite.com"] [uri "/wp-admin/site-health.php"] [unique_id "YNsA-Eye9KCGHwEDyWp6iAAAAAw"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 2a0b:f4c2:1::1] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "102"] [id "980140"] [msg "Outbound Anomaly Score Exceeded (score 9): individual paranoia level scores: 9, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"] [hostname "mysite.com"] [uri "/wp-admin/site-health.php"] [unique_id "YNsA-Eye9KCGHwEDyWp6iAAAAAw"]
Action: Intercepted (phase 4)
Apache-Handler: application/x-httpd-php
Stopwatch: 1624965372200929 181340 (- - -)
Stopwatch2: 1624965372200929 181340; combined=40209, p1=3533, p2=8491, p3=103, p4=27833, p5=249, sr=320, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.3.0.
Server: Apache
Engine-Mode: "ENABLED"

Your Environment

• CRS version (e.g., v3.2.0): v3.3.0
• Paranoia level setting: default
• ModSecurity version (e.g., 2.9.3): v2.9.3
• Web Server and version (e.g., apache 2.4.41): 2.4.38 (Debian)
• Operating System and version: Debian 10.10 (buster)

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.