[wp-trac] [WordPress Trac] #35412: ModSecurity2 blocks Potential Obfuscated Javascript in outbound anomaly

WordPress Trac noreply at wordpress.org
Tue Jan 12 09:30:51 UTC 2016


#35412: ModSecurity2 blocks Potential Obfuscated Javascript in outbound anomaly
--------------------------+-----------------------------
 Reporter:  becki         |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  4.4.1
 Severity:  normal        |   Keywords:
  Focuses:  javascript    |
--------------------------+-----------------------------
 hello there ;)

 since the 4.4.1 update mod_security reports a potential obfuscated
 javascript in outbound and blocks wordpress

 i'm using OWASP_CRS/2.2.9 and mod_security rule triggering this is '''ID
 981004''' and it reports the following:


 {{{
 Rule Message: Potential Obfuscated Javascript in Output - Excessive
 fromCharCode
 Event: Pattern match "(?i)(String\\.fromCharCode\\(.*?){4,}" at
 RESPONSE_BODY
 Data: Matched Data:
 String.fromCharCode(55356,56806,55356,56826),0,0),d.toDataURL().length>3e3):\x22diversity\x22===a?(e.fillText(String.fromCharCode(55356,57221),0,0),c=e.getImageData(16,16,1,1).data.toString(),e.fillText(String.fromCharCode(55356,57221,55356,5
 Tag: OWASP_CRS/MALICIOUS_CODEbugtraq,13544
 }}}


 {{{
 Rule Message: Outbound Anomaly Score Exceeded (score 4): The application
 is not available
 Event: Operator GE matched 4 at TX:outbound_anomaly_score
 }}}

 mod_security regex is matched in the _wpemojiSettings / function and
 finally resulting in mod_security blocking wordpress ;(

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35412>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list