[Modsecurity] False positive with wordpress

Marco n0nam3d at gmail.com
Wed Jun 14 02:41:33 EDT 2006 

==2b934b7d==============================
Request: domain.org 1.1.1.1 - - [13/Jun/2006:23:23:22 +0200] "POST
/wp-admin/options.php HTTP/1.1" 403 230
"http://www.domain.org/wp-admin/options-reading.php" "Mozilla/5.0
(Macintosh; U; PPC Mac OS X Mach-O; ca; rv:1.8.0.4) Gecko/20060508
Firefox/1.5.0.4" - "-"
----------------------------------------
POST /wp-admin/options.php HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: ca,en-us;q=0.7,en;q=0.3
Connection: keep-alive
Content-Length: 248
Content-Type: application/x-www-form-urlencoded
Cookie: __utma=190344233.410670418.1149331402.1150180411.1150233323.15;
__utmz=190344233.1149331402.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);
dbx-postmeta=grabit=0+,1-,2-,3+,4+,5+,6+;
dbx-pagemeta=grabit=0-,1-,2-,3-,4-,5-,6-&advancedstuff=0-;
__utmb=190344233; __utmc=190344233;
wordpressuser_9b2c71634a5e5e2eed718650a420ecab=user;
wordpresspass_9b2c71634a5e5e2eed718650a420ecab=ey56uc2e56ai0aa8adcadd042c236b54
Host: www.domain.org
Keep-Alive: 300
Referer: http://www.domain.org/wp-admin/options-reading.php
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; ca;
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"
at POST_PAYLOAD [id "300015"][rev "1"] [msg "Generic SQL injection
protection"] [severity "CRITICAL"]

248
posts_per_page=10&what_to_show=posts&posts_per_rss=10&rss_use_excerpt=1&blog_charset=UTF-8&action=update&page_options=posts_per_page%2Cwhat_to_show%2Cposts_per_rss%2Crss_use_excerpt%2Cblog_charset%2Cgzipcompression&Submit=Actualitzar+opcions+%C2%BB

HTTP/1.1 403 Forbidden
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
--2b934b7d--


-- 
Blog: http://p0l0.binware.org
Registered GNU/Linux User #364546

More information about the Modsecurity mailing list