[Modsecurity] False positive phpMyAdmin

Havard Hebnes centos at kral.no
Thu Apr 20 14:04:59 EDT 2006 

Got this false positive while using phpMyAdmin (latest release)

==1f6a482e==============================
Request: domain.com xx.xx.xx.xx - - [20/Apr/2006:20:01:28 +0200] "GET
/files/phpMyAdmin/tbl_change.php?db=xxxxx&table=xxxxx&pos=0&session_max_rows=30&disp_direction=horizontal&repeat_cells=100&dontlimit
chars=0&primary_key=+%60ArtID%60+%3D+1&sql_query=SELECT+%2A+FROM+%60Artikler%60&goto=sql.php HTTP/1.1" 403 218
"http://domain.com/files/phpMyAdmin/sql.php?db=xxxxx&table=xxxxxx&goto=tbl_properties_structure.php&back=tbl_properties_structure.ph
p&pos=0" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2" j7W9WFTq at yYAAHuRpjAAAAAE "-"
----------------------------------------
GET
/files/phpMyAdmin/tbl_change.php?db=xxxxx&table=xxxxx&pos=0&session_max_rows=30&disp_direction=horizontal&repeat_cells=100&dontlimit
chars=0&primary_key=+%60ArtID%60+%3D+1&sql_query=SELECT+%2A+FROM+%60Artikler%60&goto=sql.php HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: no,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://domain.com/files/phpMyAdmin/sql.php?db=xxxxx&table=xxxxx&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&
pos=0
Cookie: phpMyAdmin=e30d0a11b02db8300c28cd666cb52e61; pma_lang=no-iso-8859-1; pma_charset=iso-8859-1
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" at QUERY_STRING [id "300016"] [rev "1"] [msg
"Generic SQL injection protection"] [severity "CRITICAL"]

HTTP/1.1 403 Forbidden
Last-Modified: Tue, 11 Apr 2006 10:39:19 GMT
ETag: "eb009e-da-55df43c0"
Accept-Ranges: bytes
Content-Length: 218
Connection: close
Content-Type: text/html
--1f6a482e--

More information about the Modsecurity mailing list