Playing with OWASP CRS v3.0 and have a false positive on rule 920120.
The application is Picasa (no longer available from Google). During file
uploads it produces the failing pattern when communicating with the target
website. I have no control over the application end of this and there's no hope
for a fix from Google since they have dropped the product. It does still work
however so I continue to use it.
I'm disabling this rule for this user agent using:
SecRule REQUEST_HEADERS:User-Agent "@beginsWith Picasa/3."
"id:1010,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=920120"
Here's the entry from the audit log:
--93ede52c-A--
[04/Sep/2016:07:57:20 --0700] V8w2UH8AAAEAADHQvy0AAABV 192.168.56.1 64619 192.16
8.56.101 80
--93ede52c-B--
POST /picasa_album_uploader/upload HTTP/1.1
Host: wpdev.local
Accept: */*
Accept-Encoding: gzip
Content-Length: 117779
Content-Type: multipart/form-data; boundary=---------------------------98E77E01B
348
Cookie: wordpress_logged_in_bdc5a801bed99bd8e2693412031c90e0=thor%7C1473173832%7
COzgZxmia5N6cIlq8cByzDuXNOUtUG8ksqAsyHg12XMA%7Cd70c349c19dfc0274e629711840a30937
a640e3c6f07362d76dab9bac3b58e68; wordpress_test_cookie=WP+Cookie+check
Connection: keep-alive
User-Agent: Picasa/3.9.141.306 (gzip)
--93ede52c-I--
picasa%2dalbum%2duploader%2dupload%2dimages=48fd37703c&%5fwp%5fhttp%5freferer=%2
fpicasa%5falbum%5fuploader%2fminibrowser&size=on&title%5b%5d=IMG%5f5306%2eJPG&ca
ption%5b%5d=&description%5b%5d=
--93ede52c-F--
HTTP/1.1 403 Forbidden
Content-Length: 237
Connection: close
Content-Type: text/html; charset=iso-8859-1
--93ede52c-E--
--93ede52c-H--
Message: Warning. Pattern match "['\";=]" at FILES_NAMES:http://localhost:63391/
d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f122032b.jpg?size=1024. [file "/v
agrant/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line
"108"] [id "920120"] [rev "1"] [msg "Attempted multipart/form-data bypass"] [da
ta "http://localhost:63391/d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f12203
2b.jpg?size=1024"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"]
[accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-m
ulti"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"]
[tag "CAPEC-272"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anom
aly_score. [file "/vagrant/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVAL
UATION.conf"] [line "53"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (To
tal Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-m
ulti"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/vag
rant/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id
"980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0
,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Attempted multipart/form-data by
pass"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecuri
ty: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecuri
ty: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecuri
ty: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1473001040658089 39084 (- - -)
Stopwatch2: 1473001040658089 39084; combined=2811, p1=201, p2=2420, p3=0, p4=0,
p5=189, sr=27, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/
3.0.0.
Server: Apache/2.4.23 (Ubuntu)
Engine-Mode: "ENABLED"
--93ede52c-J--
4,116587,"IMG_5306.JPG","<Unknown ContentType>"
Total,116587
--93ede52c-Z--
-- Ken
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
