[Modsecurity] Problem Joomla mod_security

Wed Jul 12 08:51:03 EDT 2006

Hello,

i am a newbie in mod_security and have the following Problem. I have
installed a CentOS4.3 Box with Mod Security Version 1.9.4 and all Roles from
Gotroot.com. When i login to the Joomla Admin and klick on Global
Configuration and save entire changes is the following error occurred:
Forbidden - You do not have permission to access this document. When i look
in the audit.log file the following entry is indicated. 

I have changed Domain and IP in the following entry.

==b46a2106==============================
Request: www.domain.com <BLOCKED::http://www.diskspace4you.com/>
80.30.172.10 - - [12/Jul/2006:14:19:48 +0200] "POST
/administrator/index2.php HTTP/1.1" 403 962
"https://www.domain.com/administrator/index2.php?option=com_config
<BLOCKED::https://www.diskspace4you.com/administrator/index2.php?option=com_
config&hidemainmenu=1> &hidemainmenu=1" "Mozilla/5.0 (Windows; U; Windows NT
5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4" - "-"
----------------------------------------
POST /administrator/index2.php HTTP/1.1
Host: www.domain.com <BLOCKED::http://www.domain.com/> 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4)
Gecko/20060508 Firefox/1.5.0.4
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://www.domain.com/administrator/index2.php?option=com_config
<BLOCKED::https://www.diskspace4you.com/administrator/index2.php?option=com_
config&hidemainmenu=1> &hidemainmenu=1
Cookie: 0bf476054166d391db703895d14a54fd=28a7189c5b880b4ca60093d4405d953f;
virtuemart=cc0f88d9888d0caed5969b8c9b2d767b;
__utma=213567489.108317749.1152681911.1152681911.1152681911.1;
__utmc=213567489;
__utmz=213567489.1152681911.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none
); dced49c144572773182058bbee80370c=f0e383bbea97449d128adf8237d345fc;
PHPSESSID=b2c1200b3e049f8f86454841ffd94794; locale=de-DE; psaContext=server
Authorization: Basic aGR3b2w6QmxhU2Noa2U=
Content-Type: application/x-www-form-urlencoded
Content-Length: 2718
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:
space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev "1"] [msg
"Generic SQL injection protection"] [severity "CRITICAL"]

2718
config_offline=0&config_offline_message=Diese+Seite+ist+wegen+eines+Updates+
kurzzeitig+nicht+erreichbar.%3Cbr+%2F%3E+Bitte+probieren+sie+in+k%FCrze+noch
+einmal.+&config_error_message=This+site+is+temporarily+unavailable.%3Cbr+%2
F%3E+Please+notify+the+System+Administrator+admin%40domain.com&config_sitena
me=Domains+und+Webspace+um+nur+3%2C99+Euro%2FMonat%2C+Webhosting%2C+Webspace
%2C+Domains%2C+Domainregistrierungen%2C+Speicherplatz%2C+Gratis+Gaestebuch&c
onfig_shownoauth=0&config_allowUserRegistration=1&config_useractivation=0&co
nfig_uniquemail=1&config_frontend_login=1&config_frontend_userparams=1&confi
g_debug=0&config_editor=htmlarea3_xtd-c&config_list_limit=10&config_favicon=
&config_lang=germani&config_offset_user=1&config_locale=germani&config_link_
titles=0&config_readmore=0&config_vote=0&config_hideAuthor=1&config_hideCrea
teDate=1&config_hideModifyDate=1&config_hits=1&config_hidePdf=1&config_hideP
rint=1&config_hideEmail=1&config_icons=1&config_multipage_toc=1&config_back_
button=0&config_item_navigation=1&config_ml_support=0&config_host=localhost&
config_user=domain&config_db=domain&config_dbprefix=mos_&config_gzip=0&confi
g_lifetime=900&config_session_life_admin=1800&config_admin_expired=1&config_
session_type=0&config_error_reporting=-1&config_helpurl=&filePermsMode=1&con
fig_fileperms=0644&filePermsUserRead=1&filePermsUserWrite=1&filePermsGroupRe
ad=1&filePermsWorldRead=1&dirPermsMode=1&config_dirperms=0755&dirPermsUserRe
ad=1&dirPermsUserWrite=1&dirPermsUserSearch=1&dirPermsGroupRead=1&dirPermsGr
oupSearch=1&dirPermsWorldRead=1&dirPermsWorldSearch=1&config_MetaDesc=Domain
s+und+Webspace+um+nur+3%2C99+Euro%2FMonat%2C+Domain%2C+Domains%2C+Domainregi
strierung%2C+Webhosting%2C+Domainregistrierungen%2C+Webspace%2C+Speicherplat
z%2C+Provider%2C+Domainpaket%2C+Gratis+Counter%2C+Gratis+Gaestebuch&config_M
etaKeys=domains%2C+domain%2C+domainregistrierung%2C+webhosting%2C+domainregi
strierungen%2C+speicherplatz%2C+webspace%2C+webhosting%2C+provider%2C+domain
paket%2C+webseiten%2C+programmierung%2C+design%2C+webdesign&config_MetaTitle
=1&config_MetaAuthor=1&config_mailer=mail&config_mailfrom=office%40domain.co
m&config_fromname=Domain&config_sendmail=%2Fusr%2Fsbin%2Fsendmail&config_smt
pauth=0&config_smtpuser=&config_smtppass=&config_smtphost=localhost&config_c
aching=0&config_cachepath=%2Fvar%2Fwww%2Fvhosts%2Fdomain.com%2Fhttpdocs%2Fca
che&config_cachetime=900&config_enable_stats=0&config_enable_log_items=0&con
fig_enable_log_searches=0&config_sef=1&config_pagetitles=1&option=com_config
&config_absolute_path=%2Fvar%2Fwww%2Fvhosts%2Fdomain.com%2Fhttpdocs&config_l
ive_site=http%3A%2F%2Fwww.domain.com&config_secret=TYteIbPtQ78ejtYX&task=app
ly

HTTP/1.1 403 Forbidden
Last-Modified: Mon, 20 Mar 2006 20:21:14 GMT
ETag: "44d041-3c2-e675a280"
Accept-Ranges: bytes
Content-Length: 962
Connection: close
Content-Type: text/html
--b46a2106--

Best Regards

Blackstorm

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060712/e776be5a/attachment.html