New Install SuiteCRM Version : 7.8.3 - WAF Blocks Login "Blind SQL Injection Attack" - Bad coding?

itmonitor · 21 May 2017 10:44

Hi!

I made a fresh install of SuiteCRM using Softaculous on WHM (LAMP). After the clean instal, login will not work. Password retrieve will not work. I checked all the preconditions in the server for SuiteCRM to work, they are ok except ZLIB. Check text in red below:

Recommended installation pre-requisites
PHP: ok, php7.0
JSON: As of PHP 5.2.0, the JSON extension is bundled and compiled into PHP by default. http://www.php.net/manual/en/json.installation.php
XML Parsing: yes, extension=php_xmlrpc.dll and extension=php_domxml.dll are listed and uncommented (without “;”) at php.ini
MB Strings Module: php-mbstring enabled on php7.0.
Writable SugarCRM Configuration File (config.php): which file permission code? 755?
Writeable Custom Directory: which folder permission code? 755?
Writable Modules Sub-Directories and Files: yes,
Writable Upload Directory
Writable Data Sub-Directories
Writable Cache Sub-Directories
PHP Memory Limit (at least 128M): yes on php.ini.
ZLIB Compression Module: cannot enable it in Apache 2.4, not allowed.
ZIP Handling Module: enabled on php7.0
PCRE Library: installed PCRE version 7.8 2008-09-05
IMAP Module: enabled on php7.0
cURL Module: enabled on php7.0
Upload File Size: enabled on php7.0
Sprite Support: yes, php-devel + php-gd enabled on php7.0 https://stackoverflow.com/questions/9024946/centos-enabling-gd-support-in-php-installation

Apache 2.4 and PHP 7.0 restarted.

Still, login will not work. On requesting help with my hosting provider, they say the login issue is related to SuiteCRM coding, which is blocked by Comodo WAF. Comodo WAF thinks this is a Blind SQL Injection. They supplied me with this from error log:

[Sun May 21 11:36:01.619314 2017] [:error] [pid 3640] [client 220.225.193.249] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:\\b(?:t(?:able_name\\b|extpos[^a-zA-Z0-9_]{1,}\\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o …” at ARGS_NAMES:user_password. [file “/var/cpanel/cwaf/rules/24_SQL_SQLi.conf”] [line “18”] [id “211540”] [rev “9”] [msg [color=#880000]“COMODO WAF: Blind SQL Injection Attack[/color]||mydomain.com|F|2”] [data "Matched Data: use

r_password found within ARGS_NAMES:user_password: user_password"] [severity “CRITICAL”] [tag “CWAF”] [tag “SQLi”] [hostname “mydomain.com”] [uri “/stcr/index.php”] [unique_id “xxx”]
Hide full text
Request:
POST /stcr/index.php
Action Description:
Access denied with code 403 (phase 2).
Justification:
Pattern match “(?i:\b(?:t(?:able_name\b|extpos[^a-zA-Z0-9_]{1,}\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o …” at ARGS_NAMES:user_password
tailf /usr/local/apache/logs/error_log

Please, any advice to solve this SuiteCRM security issue and let me login is welcome.

Looking forward to your reply,

Rgs

IM

pgr · 21 May 2017 15:55

Hi.

Recently there were a couple of people here i the forums who had trouble with SuiteCRM installations caused by this modsec (or mod security) that you mentioned.

They solved it simply by turning it off…

Is that an option for you?

itmonitor · 22 May 2017 11:05

Hi pgr

thank you. I may disable the waf rule that is blocking the login.

However, please, why not code the login so it will not trigger the modsec waf rule in the first place? Many other PHP apps like Wordpress work seamlessly with waf. Unless improving the SuitCRM code is not possible, for some reason. Please, let me know.

Rgs

IM

pgr · 22 May 2017 11:13

I have been seeing a lot of this problem recently (and only recently). There must have been some change in modsec that makes it less tolerant of SuiteCRM’s code.

I suppose it is a good idea to improve our code though I have no idea how it’s done… If you know how to do it, you can contribute in Github - that’s the beauty of open-source! And thanks in advance.

itmonitor · 22 May 2017 12:08

Thank you pgr. Unfortunately I am not a coder, but I can help by suggesting to the SuiteCRM developers that they solve this issue. Where can I do it? Is that on github Bugtracker or there is another way to raise the attention to this login problem?

pgr · 22 May 2017 12:11

You can do it by creating an Issue on Github
https://github.com/salesagility/SuiteCRM/issues/

but I’m afraid this might be hard to get attention unless you can help provide a testing scenario. If developers can’t test with a system that actually has the problem, they can’t make any progress.

At the very least they should be able to talk you through the process while you test on your system, can you help with that?

itmonitor · 22 May 2017 12:14

Sure! Count on me, will be glad to help if they guide me how to do it. I am doing my first steps with SuiteCRM and loving it. I will create an issue at Github.

itmonitor · 22 May 2017 12:39

Bugtracker issue opened, here https://github.com/salesagility/SuiteCRM/issues/3579