Home > Software design >  ModSecurity Issue while logging MySQL errors
ModSecurity Issue while logging MySQL errors

Time:01-24

I am currently creating a plugin for WordPress that will log errors in the admin area that may happen in a custom code. This log is not intended for PHP errors, which are already stored in debug.log.

It's more to help find configuration errors, for example if I have a looper for posts and I expect the post image to be set. like:

    $post_img = get_the_post_thumbnail_url(123, 'full');

    if ($post_img == false)
    {
        my_error_log ('No featured image set for post 123');
    }

I'm showing this errors in a admin WP_List style so even editors could handle and solve such configuration errors. Everything works great until i tried to catch $wpdb->last_error messages! Like:

    $query = $wpdb->query ('DDELETE FROM ' . $wpdb->postmeta . ' WHERE meta_key = "custom_meta";');
    if ($query === false)
    {
        my_error_log ('Failure in wpdb->query!<br><code>' . $wpdb->last_error .'</code>');
    }

The DELETE command is intentionally incorrect to generate an error message!

It is written correctly in the database with

Failure in wpdb-&gt;query!<br><code>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DDELETE FROM wpdev_postmeta WHERE meta_key = "custom_meta"' at line 1</code>

But if i want to show the errors in the WP_LIST while getting the errors with function prepare_items and $wpdb->get_results('SELECT * FROM wp_my_error_log .... i only get a 404 error and nothing is displayed!

While searching the server error log files (the right one ;-) ) I found the following line:

> [:error] [pid 803349:tid 139870349313792] [client 123.XXX.XXX.XXX:0]
> ModSecurity: Access denied with code 404 (phase 4). Pattern match "You
> have an error in your SQL syntax; check the manual " at RESPONSE_BODY.
> [file "/etc/modsecurity/conf.d/11_asl_data_loss.conf"] [line "96"] [id "361022"] 
> [rev "2"] [msg "Atomicorp.com WAF Rules:  Potential SQL Information Leakage"] [severity "ALERT"] [tag "no_ar"]

So does that mean ModSecurity thinks it's an SQL injection? And how should I log my error then?

CodePudding user response:

It seems that this aspect of security is really important. Even Stackoverflow have a solution for this. It nested my posted error message above into special elements:

<code >
  <span >Failure</span>
  <span >in</span>
  wpdb-&amp;gt;query!&lt;br&gt;&lt;code&gt;You have an
  <span >error</span>
  <span >in</span>
  your SQL syntax; check the manual that corresponds
  <span >to</span> your MySQL server version
  <span >for</span> the right syntax
  <span >to</span>
  <span >use</span>
  near
  <span >'DDELETE</span>
  FROM wpdev_postmeta WHERE meta_key =
  <span >"custom_meta"</span>
  ' at
  <span >line</span>
  <span >1</span>&lt;/code&gt;
</code>

My solution was to replaced all spaces with the HTML entity &nbsp;. Then it also gets past the ModSecurity.

CodePudding user response:

So does that mean ModSecurity thinks it's an SQL injection? And how should I log my error then?

I don't think so.

Look at the log message:

ModSecurity: Access denied with code 404 (phase 4). Pattern match "You have an error in your SQL syntax; check the manual " at RESPONSE_BODY.

The key is the phase, which is 4 and the target: RESPONSE_BODY.

You are right that this is because of the ModSecurity (even more the used rule set), but it does not assume it's an SQL injection.

And how should I log my error then?

You should create an exclusion, which depends on URI/IP address/anything, and partially remove rule 361022, or the target RESPONSE_BODY at the rule.

  • Related