Hi guys,
I am still having problems with the virtualmin phpmyadmin installer script.
In virtualmin, if i go into a sub server (whilst logged in as the root user) and then install phpmyadmin whilst accepting all defaults, i cannot browse phpmyadmin at all. it throw a “forbidden, you dont have permission to access this resource” error.
Also, if i install phpmyadmin admin from the primary virtual server, I cannot add sub server databases to it!
When i check the apache error logs, Mod security seems to be what is blocking it…the question is, why does mod security have a problem with the Inbound Anomaly score? Is this my end that is causing the problem?
> ModSecurity: Warning. Pattern match "(?i)([\\\\s\\"'`;\\\\/0-9\\\\=\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]+on\\\\w+[\\\\s\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]*?=)" at REQUEST_COOKIES:pmaUser-1_https. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "125"] [id "941120"] [rev "2"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 3oNAuw= found within REQUEST_COOKIES:pmaUser-1_https: {\\x22iv\\x22:\\x22yF6zNnkF82RXbFUV3oNAuw==\\x22,\\x22mac\\x22:\\x2280b45d3bd72479c21eddfe7153d15f42813e37d9\\x22,\\x22payload\\x22:\\x226cJbBzb/uAMGA1wzouTzHQ==\\x22}"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "membership.virtualsubserver.com"] [uri "/phpmyadmin/"] [unique_id "Xvs4YWic6bwAAFJZHVwAAAAR"]
> [Tue Jun 30 23:04:33.582463 2020] [:error] [pid 21081:tid 140330808571648] [client 12.34.56.78:49719] [client 12.34.56.78] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "membership.virtualsubserver.com"] [uri "/phpmyadmin/"] [unique_id "Xvs4YWic6bwAAFJZHVwAAAAR"]
> [Tue Jun 30 23:04:33.582760 2020] [:error] [pid 21081:tid 140330808571648] [client 12.34.56.78:49719] [client 12.34.56.78] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 2: Event Handler Vector"] [tag "event-correlation"] [hostname "membership.virtualsubserver.com"] [uri "/phpmyadmin/"] [unique_id "Xvs4YWic6bwAAFJZHVwAAAAR"]