Cool. Thanks.
On Mon, Sep 05, 2016 at 08:05:51AM -0700, Ken Brucker wrote: > Hi Christian, > > Here's a redacted version that includes the C bit minus the content of the > jpg file itself. I've added this to a github issue. > > -- Ken > > --0c41777f-A-- > [05/Sep/2016:06:56:20 --0700] V815hH8AAAEAAFYB3d0AAABQ 192.168.56.1 62686 > 192.16 > 8.56.101 80 > --0c41777f-B-- > POST /picasa_album_uploader/upload HTTP/1.1 > Host: wpdev.local > Accept: */* > Accept-Encoding: gzip > Content-Length: 134956 > Content-Type: multipart/form-data; > boundary=---------------------------482C81C09 > 614 > Cookie: > wordpress_logged_in_bdc5a801bed99bd8e2693412031c90e0=thor%7C1473256578%7 > CqBvxoWnF7B59roUjZK1ypaRxJ6uqqhXJoKkgE1bUfGQ%7C0d1f9bd3868cf2a2df1330248d35e3689 > 623535f486e66910a9700ae4c2c16dd; wordpress_test_cookie=WP+Cookie+check > Connection: keep-alive > User-Agent: Picasa/3.9.141.306 (gzip) > > --0c41777f-C-- > -----------------------------482C81C09614 > Content-Disposition: form-data; name="picasa-album-uploader-upload-images" > Content-Type: text/plain; charset=utf-8 > > 0349e21fed > -----------------------------482C81C09614 > Content-Disposition: form-data; name="_wp_http_referer" > Content-Type: text/plain; charset=utf-8 > > /picasa_album_uploader/minibrowser > -----------------------------482C81C09614 > Content-Disposition: form-data; name="size" > Content-Type: text/plain; charset=utf-8 > > on > -----------------------------482C81C09614 > Content-Disposition: form-data; > name="http://localhost:62667/2d1afc4dac01219e865 > 92ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024"; filename="IMG_6822.JPG" > Content-Type: image/jpeg > > [ Redacted ] > > -----------------------------482C81C09614 > Content-Disposition: form-data; name="title[]" > Content-Type: text/plain; charset=utf-8 > > IMG_6822.JPG > -----------------------------482C81C09614 > Content-Disposition: form-data; name="caption[]" > Content-Type: text/plain; charset=utf-8 > > > -----------------------------482C81C09614 > Content-Disposition: form-data; name="description[]" > Content-Type: text/plain; charset=utf-8 > > Deer in Austin > -----------------------------482C81C09614-- > > --0c41777f-F-- > HTTP/1.1 403 Forbidden > Content-Length: 237 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --0c41777f-H-- > Message: Warning. Pattern match "['\";=]" at > FILES_NAMES:http://localhost:62667/ > 2d1afc4dac01219e86592ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024. [file > "/vagrant/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > [line "108"] [id "920120"] [rev "1"] [msg "Attempted multipart/form-data > bypass"] [data > "http://localhost:62667/2d1afc4dac01219e86592ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024";] > [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "7"] > [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag > "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag > "CAPEC-272"] > Message: Access denied with code 403 (phase 2). Operator GE matched 5 at > TX:anomaly_score. [file > "/vagrant/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] > [line "53"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: > 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] > [tag "platform-multi"] [tag "attack-generic"] > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > "/vagrant/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line > "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound > Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Attempted > multipart/form-data bypass"] [tag "event-correlation"] > Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] > ModSecurity: %s%s [uri "%s"]%s > Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] > ModSecurity: %s%s [uri "%s"]%s > Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] > ModSecurity: %s%s [uri "%s"]%s > Action: Intercepted (phase 2) > Stopwatch: 1473083780329702 6475 (- - -) > Stopwatch2: 1473083780329702 6475; combined=2451, p1=208, p2=2078, p3=0, > p4=0, p5=164, sr=26, sw=1, l=0, gc=0 > Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); > OWASP_CRS/3.0.0. > Server: Apache/2.4.23 (Ubuntu) > Engine-Mode: "ENABLED" > > --0c41777f-J-- > 4,133750,"IMG_6822.JPG","<Unknown ContentType>" > Total,133750 > > --0c41777f-Z-- > > > > On Sep 5, 2016, at 4:09 AM, Christian Folini <christian.fol...@netnea.com> > > wrote: > > > > Hello Ken, > > > > Classical False Positive. > > > > You have your audit log parts configured to include only the I part. > > I think the uploaded filename in question is > > http://localhost:63391/d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f122032b.jpg?size=1024 > > > > But could you please show us the C part - or dump the full traffic, > > we this becomes visible. > > > > And then, would you please open an issue on github for this? > > > > Cheers, > > > > Christian > > > > On Sun, Sep 04, 2016 at 08:26:37AM -0700, Ken Brucker wrote: > >> Playing with OWASP CRS v3.0 and have a false positive on rule 920120. > >> > >> The application is Picasa (no longer available from Google). During file > >> uploads it produces the failing pattern when communicating with the target > >> website. I have no control over the application end of this and there's no > >> hope for a fix from Google since they have dropped the product. It does > >> still work however so I continue to use it. > >> > >> I'm disabling this rule for this user agent using: > >> > >> SecRule REQUEST_HEADERS:User-Agent "@beginsWith Picasa/3." > >> "id:1010,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=920120" > >> > >> > >> Here's the entry from the audit log: > >> > >> --93ede52c-A-- > >> [04/Sep/2016:07:57:20 --0700] V8w2UH8AAAEAADHQvy0AAABV 192.168.56.1 64619 > >> 192.16 > >> 8.56.101 80 > >> --93ede52c-B-- > >> POST /picasa_album_uploader/upload HTTP/1.1 > >> Host: wpdev.local > >> Accept: */* > >> Accept-Encoding: gzip > >> Content-Length: 117779 > >> Content-Type: multipart/form-data; > >> boundary=---------------------------98E77E01B > >> 348 > >> Cookie: > >> wordpress_logged_in_bdc5a801bed99bd8e2693412031c90e0=thor%7C1473173832%7 > >> COzgZxmia5N6cIlq8cByzDuXNOUtUG8ksqAsyHg12XMA%7Cd70c349c19dfc0274e629711840a30937 > >> a640e3c6f07362d76dab9bac3b58e68; wordpress_test_cookie=WP+Cookie+check > >> Connection: keep-alive > >> User-Agent: Picasa/3.9.141.306 (gzip) > >> > >> --93ede52c-I-- > >> picasa%2dalbum%2duploader%2dupload%2dimages=48fd37703c&%5fwp%5fhttp%5freferer=%2 > >> fpicasa%5falbum%5fuploader%2fminibrowser&size=on&title%5b%5d=IMG%5f5306%2eJPG&ca > >> ption%5b%5d=&description%5b%5d= > >> --93ede52c-F-- > >> HTTP/1.1 403 Forbidden > >> Content-Length: 237 > >> Connection: close > >> Content-Type: text/html; charset=iso-8859-1 > >> > >> --93ede52c-E-- > >> > >> --93ede52c-H-- > >> Message: Warning. Pattern match "['\";=]" at > >> FILES_NAMES:http://localhost:63391/ > >> d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f122032b.jpg?size=1024. > >> [file "/v > >> agrant/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > >> [line > >> "108"] [id "920120"] [rev "1"] [msg "Attempted multipart/form-data > >> bypass"] [da > >> ta > >> "http://localhost:63391/d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f12203 > >> 2b.jpg?size=1024"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity > >> "9"] > >> [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag > >> "platform-m > >> ulti"] [tag "attack-protocol"] [tag > >> "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] > >> [tag "CAPEC-272"] > >> Message: Access denied with code 403 (phase 2). Operator GE matched 5 at > >> TX:anom > >> aly_score. [file > >> "/vagrant/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVAL > >> UATION.conf"] [line "53"] [id "949110"] [msg "Inbound Anomaly Score > >> Exceeded (To > >> tal Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag > >> "language-m > >> ulti"] [tag "platform-multi"] [tag "attack-generic"] > >> Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > >> "/vag > >> rant/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line > >> "73"] [id > >> "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - > >> SQLI=0 > >> ,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Attempted > >> multipart/form-data by > >> pass"] [tag "event-correlation"] > >> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] > >> ModSecuri > >> ty: %s%s [uri "%s"]%s > >> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] > >> ModSecuri > >> ty: %s%s [uri "%s"]%s > >> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] > >> ModSecuri > >> ty: %s%s [uri "%s"]%s > >> Action: Intercepted (phase 2) > >> Stopwatch: 1473001040658089 39084 (- - -) > >> Stopwatch2: 1473001040658089 39084; combined=2811, p1=201, p2=2420, p3=0, > >> p4=0, > >> p5=189, sr=27, sw=1, l=0, gc=0 > >> Response-Body-Transformed: Dechunked > >> Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); > >> OWASP_CRS/ > >> 3.0.0. > >> Server: Apache/2.4.23 (Ubuntu) > >> Engine-Mode: "ENABLED" > >> > >> --93ede52c-J-- > >> 4,116587,"IMG_5306.JPG","<Unknown ContentType>" > >> Total,116587 > >> > >> --93ede52c-Z-- > >> > >> -- Ken > > > >> _______________________________________________ > >> Owasp-modsecurity-core-rule-set mailing list > >> Owasp-modsecurity-core-rule-set@lists.owasp.org > >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > mailto:christian.fol...@netnea.com > > twitter: @ChrFolini > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
![http://localhost:62667/2d1afc4dac01219e86592ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024"](http://localhost:62667/2d1afc4dac01219e86592ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024"){kind=link}
