eMail Vorlagen Vorschau löst ModSecurity aus

Hy,

ich habe den Shop eines Kunden auf einen neuen Server mit den neusten Sicherheitsfunktionen umgezogen.
Nun scheint ModSecurity die Vorschau der eMail-Vorlagen nicht mehr zu mögen und sperrt.

Die Frage ist nun, da dies ja eine False/Positive Meldung ist, an wen richtet man das Fehlverhalten? Bei Shopware, Atomicorp oder Plesk?
 

[Mon Jan 16 16:02:54.957722 2017] [:error] [pid 13334] [client 212. ***.***.***] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ((?:submit(?:\\\\+| )?(request)?(?:\\\\+| )?>+|<+)$|^< ?\\\\??(?: |\\\\+)?xml|^> ?$)" against "ARGS:value" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "308"] [id "350147"] [rev "143"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potentially Untrusted Web Content Detected"] [data ""] [severity "CRITICAL"] [hostname "www.*****.de"] [uri "/backend/mail/verifySmarty"] [unique_id "W *****n***** MAADQWwrw *****"]
[Mon Jan 16 16:03:07.370223 2017] [:error] [pid 13334] [client 212. ***.***.***] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ((?:submit(?:\\\\+| )?(request)?(?:\\\\+| )?>+|<+)$|^< ?\\\\??(?: |\\\\+)?xml|^> ?$)" against "ARGS:value" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "308"] [id "350147"] [rev "143"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potentially Untrusted Web Content Detected"] [data ""] [severity "CRITICAL"] [hostname "www.*****.de"] [uri "/backend/mail/verifySmarty"] [unique_id "W *****d2***** ADQWwr4A *****"]
[Mon Jan 16 16:03:17.217145 2017] [:error] [pid 24384] [client 212. ***.***.***] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ((?:submit(?:\\\\+| )?(request)?(?:\\\\+| )?>+|<+)$|^< ?\\\\??(?: |\\\\+)?xml|^> ?$)" against "ARGS:value" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "308"] [id "350147"] [rev "143"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potentially Untrusted Web Content Detected"] [data ""] [severity "CRITICAL"] [hostname "www.*****.de"] [uri "/backend/mail/verifySmarty"] [unique_id "W *****d2***** AF9 *****iE*****"]

 

Die Zeilen in ModSecurity 50_plesk_basic_asl_rules.conf:

 

#suspicious code
SecRule REQUEST_URI "!(?:/admin/(?:[a-z]+/save|publish|\?op=editlink|content/update)|/secure/roundcube/|/backend\.php/property/save|/edit/|/home/add|/\?act=edit|/site-content/|/project/update/|/index\.php\?option=com_?(?:easyblog|resource&controller=article|comprofiler&task=my_profile|aclassif)|/index\.php/datafeedmanager/adminhtml_datafeedmanager/save|/index\.php\?mode=(?:new|edit)story|^/filemanager/filemanager\.php|^/user_info/edit_profile/|/admin/editor/|^/user\.php\?op=edituser&htmltext=|^/admin/structure/|option=com_rsform&task=forms\.edit|^/ndxz-?studio/\?a=|^/support/agent|^/elements/save|^/settings/in_place_save/|^/ndxz2/|^/([a-z]+/)?index\.php/admin/s(?:ystem_config|ubject)/|^/(a-z)+/admin/programs/update_program|^/backoffice/\?op=editaccom|^/za/zcadm|^/efthuko\.php\?mod=editnews|^/mm-panel/index\.php|/ndxzstudio/|destination=admin/structure|/cms/db_manage\.php)" \
         "phase:2,deny,status:403,t:none,t:urlDecodeUni,t:lowercase,t:compressWhitespace,capture,id:350147,rev:143,severity:2,msg:'Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Potentially Untrusted Web Content Detected',chain,logdata:'%{TX.0}'"
SecRule ARGS|ARGS_NAMES|!ARGS:/^ADVERT_/|!ARGS:tracklist|!ARGS:connectorPassword|!ARGS:sotenson|!ARGS:/Settings/|!ARGS:code1|!ARGS:/promo/|!ARGS:view|!ARGS:record_json|!ARGS:/offer/|!ARGS:op|!ARGS:geweest|!ARGS:send|!ARGS:pressestimmen|!ARGS:name|!ARGS:imagemap|!ARGS:/^extra/|!ARGS:afbeelding|!ARGS:action_name|!ARGS:nieuwsbrief|!ARGS:/locatie/|!ARGS:ingredients|!ARGS:priceField|!ARGS:inhoud|!ARGS:f_main|!ARGS:/error/|!ARGS:komentar|!ARGS:uvod|!ARGS:/^field_/|!ARGS:customized|!ARGS:/fullnews/|!ARGS:vraag|!ARGS:/^textarea-video/|!ARGS:/_layout_/|!ARGS:/^FieldValue/|!ARGS:areacomum|!ARGS:lomake|!ARGS:vastaus|!ARGS:/^values/|!ARGS:target|!ARGS:areaprivativa|!ARGS:areas|!ARGS:qti_data|!ARGS:templatecode|!ARGS:i_google|!ARGS:code_area_text|!ARGS:/^help_/|!ARGS:quote|!ARGS:notice|!ARGS:userdata|!ARGS:source|!ARGS:/^book/|!ARGS:/leftcol/|!ARGS:mes|!ARGS:sisalto|!ARGS:reg_rules|!ARGS:/sidebar/|!ARGS:/ad_code/|!ARGS:json|!ARGS:wpreason|!ARGS:extended|!ARGS:/Kirjoitukset/|!ARGS:item_list|!ARGS:/x_line_item/|!ARGS:/^var_value/|!ARGS:valori|!ARGS:/rightcol/|!ARGS:/^instance/|!ARGS:/pimage/|!ARGS:/allowedTags/|!ARGS:/^zcck/|!ARGS:/includes/|!ARGS:/^button/|!ARGS:/accommodation/|!ARGS:/restaurant/|!ARGS:/^breves/|!ARGS:/testimonial/|!ARGS:feature|!ARGS:headstone|!ARGS:/formcode/|!ARGS:/log/|!ARGS:/metatags/|!ARGS:/^customfield/|!ARGS:/^fields/|!ARGS:/embed/|!ARGS:val333|!ARGS:/banner/|!ARGS:/synopsis/|!ARGS:cb_talks|!ARGS:log|!ARGS:/^bt_|!ARGS:/next/|!ARGS:changedept|!ARGS:receipt_address|!ARGS:narrative|!ARGS:/results/|!ARGS:/teaser/|!ARGS:EnTrar|!ARGS:cv|!ARGS:dati|!ARGS:/experience/|!ARGS:/plan/|!ARGS:/itinerary/|!ARGS:do|!ARGS:/para/|!ARGS:do|!ARGS:perex|!ARGS:/highlight/|!ARGS:/bio/|!ARGS:/short/|!ARGS:advanced|!ARGS:/contact/|!ARGS:/google_analytics/|!ARGS:review|!ARGS:rules|!ARGS:meta|!ARGS:/observacao/|!ARGS:/caption/|!ARGS:feed_product|!ARGS:/bbclosed/|!ARGS:logoutRequest|!ARGS:video1|!ARGS:/js_payload/|!ARGS:/abstract/|!ARGS:pc_main|!ARGS:/^property/|!ARGS:/notice/|!ARGS:/config/|!ARGS:/welcome/|!ARGS:des|!ARGS:pwd|!ARGS:structure|!ARGS:/tweet/|!ARGS:/table/|!ARGS:tag|!ARGS:ad_code|!ARGS:romancode|!ARGS:model|!ARGS:thecode|!ARGS:rqst|!ARGS:/^input_/|!ARGS:dhltrack|!ARGS:reflection|!ARGS:media|!ARGS:blurb|!ARGS:Thankyou|!ARGS:/OSDCS/|!ARGS:continue|!ARGS:do|!ARGS:waarde|!ARGS:img_alt|!ARGS:notes|!ARGS:intro|!ARGS:drugs|!ARGS:/writing/|!ARGS:terms|!ARGS:/announ/|!ARGS:highlights|!ARGS:/^eeta-/|!ARGS:profile|!ARGS:ARGS:prod_detalle|!ARGS:/^News/|!ARGS:request|!ARGS:copy|!ARGS:/MapField/|!ARGS:/email/|!ARGS:main|!ARGS:/admin/|!ARGS:/suffix/|!ARGS:/prefix/|!ARGS:validatepromo|!ARGS:payment_sel|!ARGS:/title/|!ARGS:/submit/|!ARGS:contenu|!ARGS:/xjxargs/|!ARGS:block|!ARGS:btnCheckout|!ARGS:nav|!ARGS:/instructions/|!ARGS:/info/|!ARGS:recompose|!ARGS:compose|!ARGS:/^bname/|!ARGS:groupWelcomeScreen|!ARGS:langbericht|!ARGS:next|!ARGS:xsym_sym_brief|!ARGS:creategallery|!ARGS:/^copyright/|!ARGS:lease|!ARGS:livezillacode|!ARGS:sighting|!ARGS:cleaning|!ARGS:/^gui/|!ARGS:/Import_Cell/|!ARGS:/reply/|!ARGS:/^bbcode/|!ARGS:subhead|!ARGS:subject|!ARGS:_cc|!ARGS:resume|!ARGS:addtoclass|!ARGS:/intro/|!ARGS:/answer/|!ARGS:registration_prices|!ARGS:registration_discounts|!ARGS:venue|!ARGS:/opportunit/|!ARGS:agenda|!ARGS:workshop|!ARGS:/^mainman/|!ARGS:features|!ARGS:/problem/|!ARGS:/signature/|!ARGS:/question/|!ARGS:entry|!ARGS:/form/|!ARGS:/desc/|!ARGS:/qualification/|!ARGS:/detail/|!ARGS:/^p_process_chats/|!ARGS:obj_itop|!ARGS:/cms/|!ARGS:eventDescription|!ARGS:/script/|!ARGS:/^product/|!ARGS:descr|!ARGS:/products_description/|!ARGS:/report/|!ARGS:/product_desc/|!ARGS:description_short_1|!ARGS:eip_value|!ARGS:/^usergroup/|!ARGS:sendDescription|!ARGS:email_id|!ARGS:obj_itop|!ARGS:sml_prt_1|!ARGS:pay_inst_1|!ARGS:/^jform/|!ARGS:phpcode|!ARGS:intro|!ARGS:Snippet|!ARGS:oid|!ARGS:Submit2|!ARGS:/^obj_/|!ARGS:layout|!ARGS:pageset|!ARGS:/^site_/|!ARGS:/translation/|!ARGS:create_tables|!ARGS:insertfile|!ARGS:video_credits|!ARGS:input[Desarrollo]|!ARGS:move2|!ARGS:hoperation|!ARGS:login_form|!ARGS:/product_benefits/|!ARGS:/custom_code/|!ARGS:arg2|!ARGS:resumoDetalhe|!ARGS:bbcode_tpl|!ARGS:Right_photo_1|!ARGS:/embed/|!ARGS:/^K2ExtraField/|!ARGS:mentorhelp|!ARGS:/submitcode/|!ARGS:beschrijving|!ARGS:custombannercode|!ARGS:bannercode|!ARGS:privatecapacity|!ARGS:diz|!ARGS:FormLayout|!ARGS:/^fck/|!ARGS:parent_name|!ARGS:/^code_tscript/|!ARGS:/^_qf_/|!ARGS:project_company|!ARGS:categories_title|!ARGS:antwoord|!ARGS:project_company|!ARGS:signature|!ARGS:paepdc|!ARGS:tpl_source|!ARGS:teaser_js|!ARGS:/^autoDS/|!ARGS:FrmSide|!ARGS:mainKeywords|!ARGS:/VB_announce/|!ARGS:guardar|!ARGS:/serendipity/|!ARGS:omschrijving|!ARGS:/solution/|!ARGS:newyddionc|!ARGS:bericht|!ARGS:property_copy|!ARGS:/^outpay/|!ARGS:bedrijfsprofiel|!ARGS:s_query|!ARGS:finish_survey|!ARGS:photolater|!ARGS:ticket_response|!ARGS:/element/|!ARGS:option[vbpclosedreason]|!ARGS:/introduction/|!ARGS:/contenido/|!ARGS:/sql/|!ARGS:prefix|!ARGS:query|!ARGS:c_features|!ARGS:/tekst/|!ARGS:other_clubs|!ARGS:/^elm/|!ARGS:/^saes/|!ARGS:dlv_instructions|!ARGS:/^cymr/|!ARGS:_qf_Register_upload|!ARGS:/^elm/|!ARGS:verbiage|!ARGS:news|!ARGS:/^wz/|!ARGS:tiny_vals|!ARGS:sSave|!ARGS:/article/|!ARGS:/about/|!ARGS:/Summarize/|!ARGS:/^product_options/|!ARGS:/SiteStructure/|!ARGS:/anmerkung/|!ARGS:/summary/|!ARGS:/edit/|!ARGS:reply|!ARGS:/story/|!ARGS:resource_box|!ARGS:navig|!ARGS:preview__hidden|!ARGS:/page/|!ARGS:order|!ARGS:/post/|!ARGS:youtube|!ARGS:reply|!ARGS:business|!ARGS:/homePage/|!ARGS:pagimenu_inhoud|!ARGS:/note/|!ARGS:Post|!ARGS:area|!ARGS:/detail/|!ARGS:/comment/|!ARGS:LongDesc|!ARGS:ta|!ARGS:/data/|!ARGS:Returnid|!ARGS:busymess|!ARGS_NAMES:/^V\*/|!ARGS_NAMES:/^S\*/|!ARGS:/^quickrise_advertise/|!ARGS:rt_xformat|!ARGS:/wysiwyg/|!ARGS:contingut|!ARGS:/^werg/|!ARGS:/body/|!ARGS:/css/|!ARGS:/^section/|!ARGS:/msg/|!ARGS:t_cont|!ARGS:/^doc/|!ARGS:/xml/|!ARGS:tekst|!ARGS:formsubmit|!ARGS:invoice_snapshot|!ARGS:submit|!ARGS:/message/|!ARGS:/html/|!ARGS:/content/|!ARGS:/footer/|!ARGS:/header/|!ARGS:/footer/|!ARGS:/link/|!ARGS:/text/|!ARGS:/txt/|!ARGS:/refer/|!ARGS:/referrer/|!ARGS:/template/|!ARGS:/ajax/|!ARGS:/tagline/ "(?:> ?< ?(?:img ?src|a ?href) ?= ?(?:ht|f)tps?:/|\" ?> ? ?\"? ?(?:>|)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:replaceNulls,t:compressWhiteSpace,t:lowercase,chain"
SecRule MATCHED_VARS|!MATCHED_VARS:REQUEST_URI "!@rx ((?:submit(?:\+| )?(request)?(?:\+| )?>+|<+)$|^< ?\??(?: |\+)?xml|^> ?$)" "t:none,t:removeNulls,t:urlDecodeUni,t:htmlEntityDecode,t:jsdecode,t:cssdecode,t:removeComments,t:compressWhitespace,t:lowercase"

SecMarker END_XSS_ATTACKS_D1

 

Das Problem ist seit 2 Jahren immer noch nicht behoben!! Das ist leider gestern auch passiert. 

Naja soweit ich mich erinnern kann unterstützt Shopware mod_security nicht direkt. Wäre eher Serveradministration (Konfiguration). Das Problem müsstest demnach Du beheben.

EDIT:

https://forum.shopware.com/discussion/55793/backendaenderungen-werden-nicht-uebernommen-400-bad-request-your-browser-sent-a-request

1 „Gefällt mir“