It was actually a card for fixing another modsecurity issue with matrix haha, but it gave me this error:
{
"transaction": {
"client_ip": "192.168.1.1",
"time_stamp": "Tue Jul 2 15:30:46 2024",
"server_id": "fade3de079ac9ce77586b1809c4a4",
"client_port": 38057,
"host_ip": "10.42.0.46",
"host_port": 443,
"unique_id": "171992704647.640017",
"request": {
"method": "PUT",
"http_version": 2,
"uri": "/apps/deck/cards/175",
"body": "{\"id\":175,\"title\":\"fix modSecurity rule exception for matrix photo uploads\",\"description\":\"Moved matrix, grafana, and postgresql rules into their own plugins in this commit: \\n<https://github.com/small-hack/argocd-apps/commit/3b10470ae85b81d2452106c2094814f0713b3f48>\\n\\nhad to reopen this\\n\\n```\\n2024/07/02 15:21:45 [error] 1908#1908: *2728331 [client 192.168.1.1] ModSecurity: Access denied with code 403 (phase 2). Matched \\\"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file \\\"/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\\\"] [line \\\"81\\\"] [id \\\"949110\\\"] [rev \\\"\\\"] [msg \\\"Inbound Anomaly Score Exceeded (Total Score: 5)\\\"] [data \\\"\\\"] [severity \\\"2\\\"] [ver \\\"OWASP_CRS/3.3.5\\\"] [maturity \\\"0\\\"] [accuracy \\\"0\\\"] [tag \\\"application-multi\\\"] [tag \\\"language-multi\\\"] [tag \\\"platform-multi\\\"] [tag \\\"attack-generic\\\"] [hostname \\\"10.42.0.34\\\"] [uri \\\"/_matrix/media/r0/upload\\\"] [unique_id \\\"171992650595.932620\\\"] [ref \\\"\\\"], client: 192.168.1.1, server: xxxxxx.xxxxxx.xxxxxx, request:\\\"POST /_matrix/media/r0/upload HTTP/1.1\\\", host: \\\"xxxxxx.xxxxxx.xxxxxx\\\"\\n```\",\"stackId\":43,\"type\":\"plain\",\"lastModified\":1719927039.722,\"lastEditor\":null,\"createdAt\":1719915377,\"labels\":[{\"id\":50,\"title\":\"matrix \",\"color\":\"0082c9\",\"boardId\":37,\"cardId\":175,\"lastModified\":0,\"ETag\":\"cfcd208495d565ef66e7dff9f98764da\"},{\"id\":145,\"title\":\"modsecurity\",\"color\":\"3e253a\",\"boardId\":37,\"cardId\":175,\"lastModified\":0,\"ETag\":\"cfcd208495d565ef66e7dff9f98764da\"}],\"assignedUsers\":[{\"id\":170,\"participant\":{\"primaryKey\":\"myuser\",\"uid\":\"myuser\",\"displayname\":\"my user\",\"type\":0},\"cardId\":175,\"type\":0}],\"attachments\":null,\"attachmentCount\":0,\"owner\":{\"primaryKey\":\"myuser\",\"uid\":\"myuser\",\"displayname\":\"my user\",\"type\":0},\"order\":0,\"archived\":false,\"done\":\"2024-07-02T10:41:06+00:00\",\"duedate\":null,\"deletedAt\":0,\"commentsUnread\":0,\"commentsCount\":0,\"ETag\":\"514f35643b51eb2c03b0829c3ba69a75\",\"overdue\":0}",
"headers": {
"origin": "https://cloud.mydomain.com",
"dnt": "1",
"requesttoken": "xxxxx/xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxx=:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"x-requested-with": "XMLHttpRequest, XMLHttpRequest",
"content-type": "application/json",
"accept-encoding": "gzip, deflate, br, zstd",
"cookie": "__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; xxxxxxxxxxxx=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; VouchCookie=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"content-length": "1962",
"accept-language": "en-US,en;q=0.5",
"te": "trailers",
"accept": "application/json, text/plain, */*",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0",
"sec-fetch-site": "same-origin",
"host": "cloud.mydomain.com",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors"
}
},
"response": {
"body": "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n",
"http_code": 403,
"headers": {
"Server": "",
"Date": "Tue, 02 Jul 2024 13:30:46 GMT",
"Content-Length": "146",
"Content-Type": "text/html",
"Connection": "close",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains"
}
},
"producer": {
"modsecurity": "ModSecurity v3.0.12 (Linux)",
"connector": "ModSecurity-nginx v1.0.3",
"secrules_engine": "Enabled",
"components": [
"OWASP_CRS/3.3.5\""
]
},
"messages": [
{
"message": "HTTP Request Smuggling Attack",
"details": {
"match": "Matched \"Operator `Rx' with parameter `(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+(?:\\/|\\w)[^\\s]*(?:\\s+http\\/\\d|[\\r\\n])' against variable `REQUEST_BODY' (Value: `{\"id\":175,\"title\":\"fix modSecurity rule exception for matrix photo uploads\",\"description\":\"Moved mat (1862 characters omitted)' )",
"reference": "o923,36v17,992t:urlDecodeUni,t:htmlEntityDecode,t:lowercaseo1058,36v1228,1962t:urlDecodeUni,t:htmlEntityDecode,t:lowercase",
"ruleId": "921110",
"file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf",
"lineNumber": "34",
"data": "Matched Data: post /_matrix/media/r0/upload http/1 found within REQUEST_BODY: {\"id\":175,\"title\":\"fix modsecurity rule exception for matrix photo uploads\",\"description\":\"moved matrix, grafana, and postgresql rules into their own plugins in this commit: \\n<https://github.com/small-hack/argocd-apps/commit/3b10470ae85b81d2452106c2094814f0713b3f48>\\n\\nhad to reopen this\\n\\n```\\n2024/07/02 15:21:45 [error] 1908#1908: *2728331 [client 192.168.1.1] modsecurity: access denied with code 403 (phase 2). matched \\\"operator `ge' with parameter `5' against variable `tx:anomaly_score' (value: `5' ) [file \\\"/etc/nginx/owasp-modsecurity-crs/rules/request-949-blocking-evaluation.conf\\\"] [line \\\"81\\\"] [id \\\"949110\\\"] [rev \\\"\\\"] [msg \\\"inbound anomaly score exceeded (total score: 5)\\\"] [data \\\"\\\"] [severity \\\"2\\\"] [ver \\\"owasp_crs/3.3.5\\\"] [maturity \\\"0\\\"] [accuracy \\\"0\\\"] [tag \\\"application-multi\\\"] [tag \\\"language-multi\\\"] [tag \\\"platform-multi\\\"] [tag \\\"attack-generic\\\"] [hostname \\\"10.42.0.34\\\"] [uri \\\"/_matrix/media/r0/upload\\\"] [unique_id \\\"171992650595.932620\\\"] [ref \\\"\\\"], client: 192.168.1.1, server: xxxxxx.xxxxxx.xxxxxx, request: \\\"post /_matrix/media/r0/upload http/1.1\\\", host: \\\"xxxxxx.xxxxxx.xxxxxx\\\"\\n```\",\"stackid\":43,\"type\":\"plain\",\"lastmodified\":1719927039.722,\"lasteditor\":null,\"createdat\":1719915377,\"labels\":[{\"id\":50,\"title\":\"matrix \",\"color\":\"0082c9\",\"boardid\":37,\"cardid\":175,\"lastmodified\":0,\"etag\":\"cfcd208495d565ef66e7dff9f98764da\"},{\"id\":145,\"title\":\"modsecurity\",\"color\":\"3e253a\",\"boardid\":37,\"cardid\":175,\"lastmodified\":0,\"etag\":\"cfcd208495d565ef66e7dff9f98764da\"}],\"assignedusers\":[{\"id\":170,\"participant\":{\"primarykey\":\"myuser\",\"uid\":\"myuser\",\"displayname\":\"my user\",\"type\":0},\"cardid\":175,\"type\":0}],\"attachments\":null,\"attachmentcount\":0,\"owner\":{\"primarykey\":\"myuser\",\"uid\":\"myuser\",\"displayname\":\"my user\",\"type\":0},\"order\":0,\"archived\":false,\"done\":\"2024-07-02t10:41:06 00:00\",\"duedate\":null,\"deletedat\":0,\"commentsunread\":0,\"commentscount\":0,\"etag\":\"514f35643b51eb2c03b0829c3ba69a75\",\"overdue\":0}",
"severity": "2",
"ver": "OWASP_CRS/3.3.5",
"rev": "",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272/220/33"
],
"maturity": "0",
"accuracy": "0"
}
},
{
"message": "HTTP Response Splitting Attack",
"details": {
"match": "Matched \"Operator `Rx' with parameter `(?:\\bhttp/\\d|<(?:html|meta)\\b)' against variable `ARGS:json.description' (Value: `Moved matrix, grafana, and postgresql rules into their own plugins in this commit: \\x0a<https://git (913 characters omitted)' )",
"reference": "o953,6v17,992t:urlDecodeUni,t:htmlEntityDecode,t:lowercase",
"ruleId": "921130",
"file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf",
"lineNumber": "89",
"data": "Matched Data: http/1 found within ARGS:json.description: moved matrix, grafana, and postgresql rules into their own plugins in this commit: \n<https://github.com/small-hack/argocd-apps/commit/3b10470ae85b81d2452106c2094814f0713b3f48>\n\nhad to reopen this\n\n```\n2024/07/02 15:21:45 [error] 1908#1908: *2728331 [client 192.168.1.1] modsecurity: access denied with code 403 (phase 2). matched \"operator `ge' with parameter `5' against variable `tx:anomaly_score' (value: `5' ) [file \"/etc/nginx/owasp-modsecurity-crs/rules/request-949-blocking-evaluation.conf\"] [line \"81\"] [id \"949110\"] [rev \"\"] [msg \"inbound anomaly score exceeded (total score: 5)\"] [data \"\"] [severity \"2\"] [ver \"owasp_crs/3.3.5\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"10.42.0.34\"] [uri \"/_matrix/media/r0/upload\"] [unique_id \"171992650595.932620\"] [ref \"\"], client: 192.168.1.1, server: xxxxxx.xxxxxx.xxxxxx, request: \"post /_matrix/media/r0/upload http/1.1\", host: \"xxxxxx.xxxxxx.xxxxxx\"\n```",
"severity": "2",
"ver": "OWASP_CRS/3.3.5",
"rev": "",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/210/272/220/34"
],
"maturity": "0",
"accuracy": "0"
}
},
{
"message": "Inbound Anomaly Score Exceeded (Total Score: 15)",
"details": {
"match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' )",
"reference": "",
"ruleId": "949110",
"file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"lineNumber": "81",
"data": "",
"severity": "2",
"ver": "OWASP_CRS/3.3.5",
"rev": "",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-generic"
],
"maturity": "0",
"accuracy": "0"
}
}
]
}
}
Looks like it hit the following rules: 921110, 921130, 949110.
If so, I could try and submit a PR for this. If not, please let me know what the best course of action is 🙏