I have more cases of false positives with 'div' in the arguments : I tried
to exclude them with "SecRuleUpdateTargetById 981244 !ARGS_NAMES:div" but
this doesn't work. I also tried "ajaxDiv", "Div" with no success. I also
found cases of the word "div" appearing in the url so I wonder if this
should be completly removed from the rules.
GET
/test/detailBien.do?bienId=103948&methode=consulter&contenuOngletId=emplacement&ajaxDiv=true&ajax=true&ms=1319160007747
HTTP/1.1
Host: www.myhost.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101
Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr-ca,fr-fr;q=0.8,fr;q=0.6,en-us;q=0.4,en;q=0.2
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer:
http://www.mysite.com/test/detailBien.do?methode=consulter&bienId=103948
Cookie: jbo.ApplicationCookie.Modeletest={904}054A9A0715B18F3C27;
JSESSIONID=31a35ba68dfe.e3uai1ynknvrIn0; style=null
--73b83d45-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
--73b83d45-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:\\d
(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80
\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2
\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|
\\/\\*|{)?)|(?:(\"|'| ..." at ARGS_NAMES:ajaxDiv. [file
"/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "533"] [id "981244"] [msg "Detects basic SQL authentication bypass
attempts 1/3"] [data "Div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
[tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Action: Intercepted (phase 2)
-------------
Right, there is a low chance of false negatives for SQLi attack against
REQUEST_FILENAME. We will remove it from the TARGET list in the next rev.
In the meantime, I would add in a SecRuleUpdateTargetById directive to
exclude it.
SecRuleUpdateTargetById 981243 !REQUEST_FILENAME
SecRuleUpdateTargetById 981244 !REQUEST_FILENAME
SecRuleUpdateTargetById 981248 !REQUEST_FILENAME
-Ryan
From:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Date: Wed, 12 Oct 2011 15:41:59 -0500
To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: [Owasp-modsecurity-core-rule-set] false positive with rules
981243, 981244 and 981248
[cid:[email protected]]
- Avis: Ce message est confidentiel et ne s'adresse qu'aux destinataires.
Si vous le recevez par erreur, veuillez le supprimer et nous en aviser.
-
Hi,
I'm getting false positive with rules 981243, 981244 and 981248 (core rule
set 2.2.2 and mod_security 2.6). Seems like the rule don't like "dIv" or
"div" in the url.
Is there a way to use SecRuleUpdateTargetById to handle this ?
--37216702-B--
GET /uploads/tx_jcarousel/dIversite-culturelle-2_01.gif HTTP/1.1
Host: www.myhost.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101
Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en;q=0.5,en-us;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Cookie: style=normal; user=678843ea0aa41; cookies=true
Cache-Control: max-age=0
--37216702-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 576
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Content-Type: text/html
--37216702-H--
Message: Access denied with code 403 (phase 2). Pattern match
"(?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+
\\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|
select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|
(?:(?:;|#|--)\\s*(?:update|insert)\\s
..." at REQUEST_FILENAME. [file
"/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "539"] [id "981248"] [msg "Detects chained SQL injection attempts
1/2"] [data "dIv"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag
"WEB_ATTACK/ID"]
Connection: keep-alive
Cookie: style=normal; user=678843ea0aa41; cookies=true
Cache-Control: max-age=0
--37216702-F--
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 576
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Content-Type: text/html
--37216702-H--
Message: Access denied with code 403 (phase 2). Pattern match
"(?i:(?:@.+=\\s*\\(\\s*select)|(?:\\d+\\s*x?or|div|like|between|and\\s*\\d+
\\s*[\\-+])|(?:\\/\\w+;?\\s+(?:having|and|x?or|div|like|between|and|
select)\\W)|(?:\\d\\s+group\\s+by.+\\()|(?:(?:;|#|--)\\s*(?:drop|alter))|
(?:(?:;|#|--)\\s*(?:update|insert)\\s
..." at REQUEST_FILENAME. [file
"/etc/apache2/conf.d/mod_security/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "539"] [id "981248"] [msg "Detects chained SQL injection attempts
1/2"] [data "dIv"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag
"WEB_ATTACK/ID"]
Claude
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format._______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
