Plugin triggers ModSecurity

HI there,

Thanks for the detailed response. I’m not sure whether this requires a fix from Give yet. It could be a false-flag, or potentially you are running an older version of ModSecurity. Regardless, I’m digging into replicating the issue locally in order to understand the source of the problem better.

Regarding the PHP notice, naturally, we do have to occassionally use older PHP syntax in order to be compatible with hosting environments which run on older versions of PHP. That still doesn’t mean there is a vulnerability.

Lastly, if you are ever concerned about anything security related, please do not post here in the forum. If you did find a security issue, you would effectively be making it public where nefarious types could then exploit anyone running our plugin. Instead of posting here, contact us directly through our contact page and choose the option “I am reporting a security vulnerability”.

I’ll keep you posted on my progress. Thanks!

Can you direct me to where you are getting your ruleset from? Is this a default ruleset from your host? If so, what host are you using? If not, can you point me to a public place where I can download the ruleset?

Thanks!

In the meantime, let’s also try this. Please download this zip file:
https://www.dropbox.com/s/ti2biwyeoa5e3hk/give-fonts.zip?dl=0

These are the icomoon fonts that we use, but I just re-generated them directly from the iconmoon App. Please do the following:

1) Unzip the file
2) Upload the contents (4 font files total) to your Give plugin folder to the following location:
/wp-content/plugins/give/assets/fonts/
3) Activate the plugin again and let me know if you get the same warnings.

Thanks!

Hi Matt,

Thank you very much for responding.

Sorry I wasn’t as detailed / clear in the original post – I am the host. I’ve been running a small hosting service since 1996 (before Godaddy and Google even existed) and I started hosting WordPress sites in early 2004. Currently about 200 of the web sites I host are customers using WordPress, many of which I installed WP for them and several of which I do the basic WordPress maintenance for (since many users either aren’t aware that they need to keep WP and Plugins / Themes updated or are afraid to do it themselves). Many of them have very extensive sets of Plugins installed and no issues.

The ModSecurity ruleset in use on my servers is the common one that is built into the latest version of cPanel/WHM 11.56 – COMODO ModSecurity Apache Rule Set , latest version 1.87 – and you can see the complete ruleset at https://waf.comodo.com/user/cwaf_revisions (you can also download the ruleset there, with a free account).

If you have root admin access to a cPanel server running cPanel/WHM 11.48 or higher, you can log in to WHM and then go to Security Center > ModSecurity Vendors to view / enable / disable / edit the ruleset just like you can see in this old thread on the Comodo forums from over a year ago when the Comodo WAF rulset was first integrated and implemented by cPanel – https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/comodo-as-a-modsecurity-vendor-in-cpanel-t110147.0.html

Given the fact that the CVE is from 2012 and the rule being triggered by Give is:

[id “220030”] [rev “2”] [msg “COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)

It’s possible that it’s a false positive due to some older syntax mixed in with your plugin, but either way it will still cause users on servers running the latest version of cPanel with the latest version of Comodo WAF ModSecurity for Apache to run into problems and/or get blocked from their server when they attempt to access their WP Admin Dashboard with Give installed / enabled.

I followed your suggestion and downloaded the zip file of the icomoon fonts that you’ve provide at https://www.dropbox.com/s/ti2biwyeoa5e3hk/give-fonts.zip?dl=0 and then unzipped / uploaded them to the /wp-content/plugins/give/assets/fonts/ folder (overwriting the existing ones already there). I then re-enabled ModSecurity rule ID 220030 on the user’s account and logged into his WP admin Dashboard, and it still triggers the rule.

I’m disabling the Give plugin on the user’s account for now so that they can log in to their Dashboard without getting firewalled and letting them know that I’m working with you to find a better solution than disabling the ModSecurity rule.

By reading through your support forum here I can see that you are a responsive developer who actually cares about your plugin, so kudos for that! Since I host hundreds of WordPress sites I have to deal with a lot of plugins on behalf of customers and I wish all of them cared about their product as much as you do.

In fact, I would be more than happy to set you up with a test hosting account on one of my servers with a clean fresh installation of WordPress for you to experiment with in my very modern server environment, and would be happy to work directly with you on this if you’d like. If you’re interested just send me a private message with your direct email and I’ll contact you via my direct email (and phone if you’d like) since I do not post my company information here on the www.ads-software.com forum (mainly because I think it would break the rules & possibly considered spam, but also because you know I’d have everyone on the forums contacting me for support day & night).

It would be great to work with you directly outside of this forum, so just shoot me a private message if you’re interested. It would be good for both of us – for you because I can give you a real-time troubleshooting environment to assist you with this, and for me because we could eventually resolve this issue for my customer using your plugin ??

Side note – I’m preparing to upgrade the native PHP from 5.5 to 5.6 on all of my servers, but I do have the ability to set individual accounts to any version from PHP 5.4 to PHP 7 for testing purposes. Nice for development / troubleshooting.

Hope to speak with you soon,
Dave

Hey Dave,

We’re looking deeper into this and can’t reproduce it without the ModSecurity setup you have. Please contact us at https://givewp.com/contact so we can discuss in more detail.

Thanks!

HI Dave,

We want to experiment with just removing that icomoon.ttf file. We don’t believe any modern browser or mobile device will actually load it. Please try deleting your current copy of Give, and install this copy instead:

https://www.dropbox.com/s/srv2i1clpbg33fe/give.zip?dl=0

Then run your ModSecurity rule and let us know what you find.

Thanks!

Did anyone ever come up with a fix to this. I am having this same issue right now with the give plug -in.

@rfelton What version of the plugin are you using? This should be fixed in the latest version as the .ttf file being flagged was removed. Do you know which file is being flagged now?

Hi Devin
Looks like Version 3.
wp-content/plugins/give/assets/fonts/icomoon.woff

Requires at least: 4.2
Tested up to: 4.7
Stable tag: 1.7.2
License: GPLv3
License URI: https://www.gnu.org/licenses/gpl-3.0.html

Thanks @rfelton – do you have any additional information as to why this is being flagged?

All I really could get was it was triggering a rule on the mod security. Im on a vh server. I had the plug in running for a month before this happened and it only happened while I was working on it. Im guessing that it may have happened because I had set up a couple of wp installs in other sub domains as a test environment. I had the plug in on all of them so it may have been making calls from all those installs. When they white listed it at first it wasn’t working. I finally un-installed it except for one location and they did a global whitelist and since then I havent had any issues.
Thanks for looking out. I can get the chat transcripts from the support chat if you want but what was outlined by this other gentleman is exactly what happened to me but of course with a different font file.