BUG: Triggering “Path traversal attack /../” modsecurity rule.

  • Resolved webbirddigital

    (@webbirddigital)


    4 years, 11 months ago

    This plugin appears to load some assets using path-traversal for some reason (I can only assume lazy development) which is triggering Modsecurity rules and resulting in users being blocked by the server firewall.

    The following URLs are affected:
    /wp-content/plugins/woocommerce-google-adwords-conversion-tracking-tag/classes/../js/public/wooptpm.js
    /wp-content/plugins/woocommerce-google-adwords-conversion-tracking-tag/classes/pixels/../../js/public/google-ads.js

    These should be corrected to:
    /wp-content/plugins/woocommerce-google-adwords-conversion-tracking-tag/js/public/wooptpm.js
    /wp-content/plugins/woocommerce-google-adwords-conversion-tracking-tag/js/public/google-ads.js

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author alekv

    (@alekv)

    4 years, 11 months ago

    (I can only assume lazy development)

    Not really the way how you motivate any developer to do something for you.

    There is a reason for this traversal and has to do with the local testing setup.

    which is triggering Modsecurity rules and resulting in users being blocked by the server firewall.

    You have to ask yourself why the firewall is blocking this and if not the firewall rules are too strict. Because traversals are common, even if not super nice, I agree with that.

    Besides, I never have come across this issue. So I’ll have a look into improving this.

    Does this affect only back-end users or also front-end users?

    Thread Starter webbirddigital

    (@webbirddigital)

    4 years, 11 months ago

    Does this affect only back-end users or also front-end users?

    This is affecting front-end users.

    Note that we are using the standard modsecurity ruleset which comes preinstalled on WMH/cPanel servers. By default rules are set to alert only, but it is recommended that they are enabled on production servers.

    Not really the way how you motivate any developer to do something for you.
    There is a reason for this traversal and has to do with the local testing setup.

    It would motivate me 😉 Sorry if this came across offensively, that wasn’t my intention (it just was meant as a bit of a jab).

    Plugin Author alekv

    (@alekv)

    4 years, 11 months ago

    By default rules are set to alert only, but it is recommended that they are enabled on production servers.

    Ok. I suggest to keep it that only on alert for production too until I come up with a solution. But that won’t be today. Earliest next week.

    I already tried finding a way. But since I use symlinks in my dev and testing setup the path traversal was so far the only way I’ve come up with to get everything working properly. That means finding another solution without the path traversal will take some time.

    I’ll let you know once I have found a workaround.

    It would motivate me 😉 Sorry if this came across offensively, that wasn’t my intention (it just was meant as a bit of a jab).

    No problem.

    Plugin Author alekv

    (@alekv)

    4 years, 11 months ago

    @webbirddigital

    Lucky us. I found a way to reference the files properly without changing or breaking my entire testing setup.

    If you want to beta test it, drop me an email to [email protected]

    Plugin Author alekv

    (@alekv)

    4 years, 11 months ago

    The path traversal has been removed in the now published version 1.10.6

    Please let me know if the server warning is gone now.

    Thread Starter webbirddigital

    (@webbirddigital)

    4 years, 11 months ago

    Perfect! Confirmed fixed from our end.

    Plugin Author alekv

    (@alekv)

    4 years, 11 months ago

    Great. Thanks for the feedback!

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘BUG: Triggering “Path traversal attack /../” modsecurity rule.’ is closed to new replies.