Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ModSecurity: Impacting setup / redirects to homepage #1113

Closed
jamesozzie opened this issue Feb 10, 2020 · 14 comments
Closed

ModSecurity: Impacting setup / redirects to homepage #1113

jamesozzie opened this issue Feb 10, 2020 · 14 comments
Labels
Group: Escalation Issues which requires escalation P0 High priority QA: Eng Requires specialized QA by an engineer Type: Bug Something isn't working
Milestone
Sprint 17

Comments

@jamesozzie
Copy link
Collaborator

jamesozzie commented Feb 10, 2020
edited by felixarntz
Loading

Bug Description

Some users are experiencing issues with Site Kit setup, even with the proxy based setup solution.

While temporarily deactivating ModSecurity can allow setup to proceed in some cases asking users to temporarily deactivate is not ideal and in many cases not possible (for shared hosting solutions).

Below is an example of an error log provided by one hosting provider, shared by one user on the WordPress support forum.

[Fri Jan 31 15:25:57.523701 2020] [:error] [pid 6226:tid 47032615163648] [client 173.238.17.22:55491] [client 173.238.17.22] ModSecurity: Access denied with code 403 (phase 2). Matched phrase “.profile” at ARGS:scope.
[file “/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/08_Global_Other.conf”] [line “57”] [id “210580”] [rev “2”] [msg “COMODO WAF: OS File Access Attempt||hsjcc.on.ca|F|2”] 
[data “Matched Data: .profile found within ARGS:scope: email profile https:/www.googleapis.com/auth/analytics.edit https:/www.googleapis.com/auth/analytics.manage.users https:/www.googleapis.com/auth/analytics.readonly https:/www.googleapis.com/auth/analytics https:/www.googleapis.com/auth/webmasters https:/www.googleapis.com/auth/siteverification openid https:/www.googleapis.com/auth/userinfo.profile https:/www.googleapis.com/auth/userinfo.email”] 
[severity “CRITICAL”] [tag “CWAF”] [tag “Other”] [hostname “hsjcc.on.ca”] [uri “/”] [unique_id “XjSNVflO8akEWI8rkj-bDAAAAAE”], referer: https://accounts.google.com/signin/oauth/consentsummary?authuser=0&part=AJi8hAOPA9IrSpWL4k_Kj6u9T0v1uOzCSjgzj4yksVDaKVTcFTtp0wcuQXBHyvDKNjn_Jz8xSI4PNPSUP2rzMav_FfnBbu5tTffq-2rfJpnsw1LFdsEzIoyicccOgkw2VnnAuoAnGivyS4LXyEwy6l5Wn7z5NmRuRfLAuZOsWBBqQpEChBGCXDA35k43dKeeDNOa5iz61KN_F6N-FTC2AbftPNWJa0lawJ-0XU4kXU29KLjgUwponrgFI6HjJjHt3cgMEQ7KtGAOY9M4ioUppDKtnO-nw8I7fdmtMOy6ecwetDa_MVfz8ftor9DsmbywC67_NnOKxZS4LaqTYRS4EPK7coiFr6y1Gcxw8n4S_2oQzseSDC_dgk5aVePv_gGZnorYUPqd1r80KbJgqIq6hg9aqO_ihae-o1lZk40Unte-x29SLChdNzo51icQ_LxeKR2YvIhlVmpRo_PkKzH8GlwFrQ58kHLlLk3Z3y3_yY7CkhKZQi3HvYurZnIFvKT80Vb_PuSK55e-2V4VYJu8WISLqMqhzYSKDT4IWSCLt1N-DNKj8nIQA2F9wg6a9hwISQtFNprM1wC8q3CWoXaf_tuqwlQ-7HJ8ORHFcYPas6LiIfottLmFOr8SQNlZSXDsIk9PePz71TfOIJvtOkOFfLHSwmJa4YM5aTxi2Ks9XrkfB00IajWew80FP32S7bPxt0BI9Ra-EpzV17Xqmf1ARZn17Cp9iZVT0ENpCMOJTVTehXjAT23j-Isuu-5C1cshwS3qUwj_GgXwWEbmhWaOC-flhYylrStAxW09UUrRscCtjMvotfNjk-3KfcxxiL4PG1KxMz2Bk8ExazwTmEvDE2qxWJUaz0qehDkkB8j9oLZbW_WH_SBkPx6WtTjOfjYVmUzUllbRayzd0YiEZWFiPp_6DfWDKKcx80TcqXiiWFlOl7pegePW9cgysmdH0PD7j-VW9cMfwc_yrkx2b7221U5Lgf_r61oV0p3VktzdRqDf9imxXYi6_zFceXOzyfiJgMNQqapGAN7Wz2CgE0x5A2kZsLVLiZ93ZILHu0zBkEE5dRToXr9pd6fpi_ni1Z1sPCtnDcTTWxWup1r7X6hrUGtAMSWJMu1Pgo7rdQc3kDNsU_a7ZeAMMo3-W4l6aRJTplBj8_329zBd_mlKVEh18eaQpb6LdIXk7nNdgw5STieImLfi8MKHGR0dQo2kPZsERWKeq-Xy-RE5ctdYydlIqiq2N0xmUxO-htP-FmOAdNLkoh-BttzfcsKyBGXTi18zFJ9dRo30X6dBzjWuOJ9x4NuehsR4V8mCbksC7a01nCzFJG-aqOYVeYDz4JMBFeqpV1x_jGYuhT66kTVKZA0XHmwofYlXqond8UT2dufSDuU8517DHz97vsR6dljGL8JJOpMWOSC-xwT5-t7C6JPT2VR41GlpXk44R3t9ktmk_oCuFldvrlNpdAvoiyrFwruNoPO2Zf4wH9xYJtjb9hPwzgTp_g50EoNplhW59ritgFBaFKlXzJLASmIYjLVuQd48yYY95OSz-FH30-y4q8VrGedpG2BDGcsBiA8QWmpW57gOVFStCBAHvFKmBDppIWZhpAvAylMfT3eRrc_yGQ5smYyCKEpKjND5wZdfGJwWhA9-kGlm8m_svhG1BYXbmmJADYmQCFMa1gLJx6u7BQoNzZndf7NXEabpv29opSHTZlb1DLJ0mGBpuvQzPo4S6cdVg0JgiSxNVUL2i1UqzvFlPgp-ILgXghG5Bdbfruwt1Y3YzVm14rci0n90ILV08Wq0frGFT-z4TParcBaBYgeciXBX27GIBXzAyk-C3GvharDagOyghivpE3CXIyVg1LfyuIKK6POtARxfosDPYmVgC12PoJkGU1FBpBVcpyU_dmC_I-3YYcxl6TU&as=2ZC_b_ClWwEYMI-SkY3pBA&rapt=AEjHL4MDH7gjFKfrigw78cBYx0Z7HNLcWVulh-tiJnGEpSyMHpSEdzhQLH1lv3hy7_1DFdGu76l9S3uM9DwF7pGqZl2Jy66t-w&approvedScope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics.edit%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics.manage.users%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics

Other related support topics:

Another redirection occurrence reported by one user, this time with redirection to CentOS error page. Awaiting log files.

Screenshots

Additional Context

  • PHP Version:
  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Plugin Version [e.g. 22]
  • Device: [e.g. iPhone6]

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

  • N/A

Implementation Brief

  • N/A

QA Brief

Changelog entry

  • Work around bug in ModSecurity by relying on only providing granted OAuth scopes in token API response.
@jamesozzie jamesozzie added the Type: Bug Something isn't working label Feb 10, 2020
@jamesozzie jamesozzie mentioned this issue Feb 10, 2020
Closed
@ernee
Copy link

ernee commented Feb 11, 2020

Additionally, ModSecurity has been reported to affect the setup/ connection of services like Analytics and Adsense as seen in these topics:

https://wordpress.org/support/topic/i-cant-configure-analytics-and-adsense/ (Site Health avail)
https://wordpress.org/support/topic/unable-to-fetch-ga-account/ (Site Health avail)

@jamesozzie
Copy link
Collaborator Author

Another potentially impacted user:
https://wordpress.org/support/topic/stuck-in-sign-in-with-google-to-configure-site-kit/#post-12422263

@ernee
Copy link

ernee commented Feb 12, 2020

@jamesozzie the topic referenced above might be related to #1034 per the users update that they changed from http to https.

@cole10up cole10up self-assigned this Feb 17, 2020
@jamesozzie
Copy link
Collaborator Author

Additional information/context posted by other users at the below WordPress support topic:
Can’t authenticate email then it crashes site

@aaemnnosttv
Copy link
Collaborator

The problem in the log above is related to a known rule in ModSecurity's free WAF rules which is designed to block access to the local .profile file. Because the OAuth flow sends the user back to the site with an auth scope that contains this string (https://www.googleapis.com/auth/userinfo.profile) in a query parameter, ModSecurity blocks it.

This isn't specific to Site Kit and would likely happen with any Google OAuth flow that included this scope.

According to this post, if the host supports ModSecurity changes via .htaccess they can add this rule to whitelist it in the scope query arg only (without disabling ModSecurity or this rule altogether):

<IfModule mod_security2.c>
     SecRuleUpdateTargetById 210580 !ARGS:'scope'
</IfModule>

This is still not a great solution though. I tried removing this scope in favor of using profile from the openID standard instead, but Google seems to add in the equivalent Google scope when returning so this wouldn't work either.

@felixarntz since the OAuth callback hits the auth proxy first, is it possible we could remove the problematic scope from the site's URL before sending them back to the site? We could then rely on the presence of the openID profile instead. This might be hard to do in a BC compatible way though.

@felixarntz felixarntz mentioned this issue Feb 19, 2020
Closed
@eclarke1 eclarke1 added the Group: Escalation Issues which requires escalation label Feb 27, 2020
@felixarntz felixarntz added P0 High priority QA: Eng Requires specialized QA by an engineer and removed Group: Escalation Issues which requires escalation labels Feb 27, 2020
@felixarntz felixarntz added this to the Sprint 17 milestone Feb 27, 2020
@felixarntz
Copy link
Member

@cole10up This was fixed on our end (not in the plugin), but I marked this as part of the release. Could you do some QA on this or follow up with @jamesozzie? Thanks!

@cole10up cole10up self-assigned this Feb 27, 2020
@ThierryA ThierryA added the Group: Escalation Issues which requires escalation label Feb 27, 2020
@cole10up
Copy link

I ran some tests on my end installing application based security plugins such as (WordFence, W3TC, Redirect). Installed and activated Site Kit. No issues discovered.

Unfortunately my hosting test server doesn't have Mod Security.

In order to properly retest this we'll need to invest more time into this ticket to validate with a full setup of an instance with an Apache server running Mod Security.

@cole10up
Copy link

@jamesozzie - Here's a guide to Mod Security and where to configure it if you have a server running with cpanel and wordpress installed.

https://sysally.com/blog/how-modsecurity-protects-wordpress-website/

@cole10up cole10up removed their assignment Feb 28, 2020
@jamesozzie
Copy link
Collaborator Author

@cole10up No issues from my side with either OWASP ModSecurity or Atomic Basic ModSecurity rule sets enabled, with thorough default values.

image

Happy to share logs or provide testing login if needed.

@cole10up
Copy link

Thanks @jamesozzie for the help. Transitioning this one to approval.

@Imagine775
Copy link

Hello, I have the same issue with the Loop "Sign in with Google to configure Site Kit"
If there is a solution can i please ask you to dumb it down for a noob like me. to help me understand how can i fix it.

@jamesozzie
Copy link
Collaborator Author

@Imagine775 We'd be happy to assist you with this error. If none of the troubleshoot steps listed on the website work for you please open a WordPress support topic and we can look at your individual case.

@jamesozzie jamesozzie mentioned this issue Mar 9, 2020
Closed
@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
@ndel
Copy link

ndel commented Dec 5, 2021

Switching off security rule 210580 worked for me

@gene1wood
Copy link

You can also use this CRS plugin to modsecurity to do the same : https://github.com/coreruleset/google-oauth2-plugin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Group: Escalation Issues which requires escalation P0 High priority QA: Eng Requires specialized QA by an engineer Type: Bug Something isn't working
Projects
None yet
Milestone
Sprint 17
Development

No branches or pull requests
10 participants
@gene1wood @aaemnnosttv @felixarntz @ThierryA @ernee @ndel @jamesozzie @eclarke1 @cole10up @Imagine775