Dear All We are having difficulty with one of our applications as it appears that mod_security is blocking some of the content thinking that it is a vulnerability. We are running Apache version 2.2 with mod_security version 2.05
The url that is giving us problems is as follows: https://myserver.com/MYAPP/nt/chart/run.do?t=tcg&m=cot/trend&f=png&r=3&y=2005+to+2009&d=labels_x:[2005,2006,2007,2008,2009,-8.88888888E8,2015];tlabels_x:[2005,2006,2007,2008,2009];g:[[89.690721649,86.746987952,91.946308725,90,85.135135135,-8.88888888E8,null],[90,85,87,89,90,-8.88888888E8,null],[83.209136562,83.894290701,84.484373669,81.189229619,64.743991641,-8.88888888E8,null],[null,null,null,null,null,-8.88888888E8,93]];t:[[194,166,149,150,148],[184,155,144,141,130],[174,144,137,135,126],[10,11,5,9,18]]&c=0+0+0+0+1&rid=1<https://myserver.com/MYAPP/nt/chart/run.do?t=tcg&m=cot/trend&f=png&r=3&y=2005+to+2009&d=labels_x:%5b2005,2006,2007,2008,2009,-8.88888888E8,2015%5d;tlabels_x:%5b2005,2006,2007,2008,2009%5d;g:%5b%5b89.690721649,86.746987952,91.946308725,90,85.135135135,-8.88888888E8,null%5d,%5b90,85,87,89,90,-8.88888888E8,null%5d,%5b83.209136562,83.894290701,84.484373669,81.189229619,64.743991641,-8.88888888E8,null%5d,%5bnull,null,null,null,null,-8.88888888E8,93%5d%5d;t:%5b%5b194,166,149,150,148%5d,%5b184,155,144,141,130%5d,%5b174,144,137,135,126%5d,%5b10,11,5,9,18%5d%5d&c=0+0+0+0+1&rid=1> The peculiar thing is that a similar url runs properly, see below https:// myserver.com/MYAPP/nt/chart/run.do? t=pct&m=cot/outcomes&f=png&r=3&y=2009&d=p:[[148,100],[126,85.135135135],[4,2.7027027027],[0,0],[2,1.3513513514],[1,0.6756756757],[15,10.135135135]]&&rid=1 The logs show the following rule being violated: Message: Pattern match "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" at ARGS:d. [file "C:/Apache2.2/conf/mod_security/base_rules/modsecurity_crs_41_phpids_converter.conf"] [line "70"] [id "973016"] [msg "Basic Charcode Pattern Found"] [data "2005,2006,2007,2008,2009,-8.88888888e3"] The rule in question is located in modsecurity_crs_41_phpids_converter.conf - line 70 SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Basic Charcode Pattern Found',id:'973016',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}" My coworker discovered that if we modify a portion of the rule then we are able to run the application properly. In particular if we modify {4} to {10} then things begin working SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" ...... TO ....... SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){10,}" We are concerned that by making this change we either inadvertently make our security weaker or break other things. So we are wondering if the rule has an inherit problem and is there a way to either resolve it or by pass it or any other best practice. Any feedback is greatly appreciated Thanks, Max
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
