From gerard at whitecurve.com  Mon May  1 19:13:34 2006
From: gerard at whitecurve.com (Gerard Earley)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] 2 more False Positives for the exclude list
Message-ID: <4456961E.9090203@whitecurve.com>

Here are two more False Positive exclusions for the exclude.conf
Both of these have been seen in the phpBB integrated into PHPnuke.

<Location /modules.php?name=Forums&file=posting>
SecFilterRemove 300016
</Location>

<Location /modules.php?name=Private_Messages&file=index>
SecFilterRemove 300016
</Location>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3326 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060502/608e1d53/smime.bin
From Steve.Cox at mergermarket.com  Tue May  2 08:19:42 2006
From: Steve.Cox at mergermarket.com (Steve Cox)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] Specific False Positive using SugarCRM
Message-ID: <F4992F986DA01540987CB941A13635F60216B85F@gbr-lon-msg01.copse.mmforest.com>

Hi,

I'm getting a specific false positive using the mod_security rules - when running the SugarCRM system on Apache2.

The false positive looks something specific here so I'm looking to create a local exception of the format:

<LocationMatch "/sugarcrm/index.php">
   SecFilterRemove xxxxxx
</LocationMatch>

But I don't know how to ascertain the rule number for the SecFilterRemove line.

The reason for the false positive firing is that a user was entering CRm details on an account called something like: 'Meridian Inc'.

The mod_security blacklist rule picked up Meridian as Meridia and blocked it.

The audit_log entry is:

###################################################################


Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST /sugarcrm/index.php HTTP/1.1" 500 342
Handler: (null)
----------------------------------------
POST /sugarcrm/index.php HTTP/1.1
Host: crm.mergermarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://crm.mergermarket.com/sugarcrm/index.php
Cookie: Meetings_divs=contacts_v%3Dinline%23; ck_login_id_20=xxxxxxxx-xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite; Calls_divs=users_v%3Dinline%2
3contacts_v%3Dinline%23; ck_login_language_20=en_us; Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true; ck_lastview=true; showLeftCol=true; ck_record=true
; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
Content-Type: application/x-www-form-urlencoded
Content-Length: 992
mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD
mod_security-action: 500

992
module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id= xxxxxxxx-xxxxxxx-xxxxx-xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phone_officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_fax=&pare
nt_name=&parent_id=&email1=&industry=&etcetcetc

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 342
Connection: close
Content-Type: text/html; charset=iso-8859-1

###########################################################


Can someone point me in the way to determine the rule number so I can exclude this from the installation?

Thanks,
-- 
?
Steve
?

From dan at half-asleep.com  Tue May  2 09:27:22 2006
From: dan at half-asleep.com (Daniel Segall)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] Specific False Positive using SugarCRM
In-Reply-To: <F4992F986DA01540987CB941A13635F60216B85F@gbr-lon-msg01.copse.mmforest.com>
Message-ID: <T03amXak.1146576442.4171390.worlock@half-asleep.com>


The log that you copied is a valid trigger for drug spam. This has
nothing to do with the CRM itself.

>mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD

-Dan


On 5/2/2006, "Steve Cox" <Steve.Cox@mergermarket.com> wrote:

>Hi,
>
>I'm getting a specific false positive using the mod_security rules - when running the SugarCRM system on Apache2.
>
>The false positive looks something specific here so I'm looking to create a local exception of the format:
>
><LocationMatch "/sugarcrm/index.php">
>   SecFilterRemove xxxxxx
></LocationMatch>
>
>But I don't know how to ascertain the rule number for the SecFilterRemove line.
>
>The reason for the false positive firing is that a user was entering CRm details on an account called something like: 'Meridian Inc'.
>
>The mod_security blacklist rule picked up Meridian as Meridia and blocked it.
>
>The audit_log entry is:
>
>###################################################################
>
>
>Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST /sugarcrm/index.php HTTP/1.1" 500 342
>Handler: (null)
>----------------------------------------
>POST /sugarcrm/index.php HTTP/1.1
>Host: crm.mergermarket.com
>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
>Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>Accept-Language: en-gb,en;q=0.5
>Accept-Encoding: gzip,deflate
>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>Keep-Alive: 300
>Connection: keep-alive
>Referer: https://crm.mergermarket.com/sugarcrm/index.php
>Cookie: Meetings_divs=contacts_v%3Dinline%23; ck_login_id_20=xxxxxxxx-xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite; Calls_divs=users_v%3Dinline%2
>3contacts_v%3Dinline%23; ck_login_language_20=en_us; Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true; ck_lastview=true; showLeftCol=true; ck_record=true
>; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
>Content-Type: application/x-www-form-urlencoded
>Content-Length: 992
>mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD
>mod_security-action: 500
>
>992
>module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id= xxxxxxxx-xxxxxxx-xxxxx-xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phone_officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_fax=&pare
>nt_name=&parent_id=&email1=&industry=&etcetcetc
>
>HTTP/1.1 500 Internal Server Error
>Vary: Accept-Encoding
>Content-Encoding: gzip
>Content-Length: 342
>Connection: close
>Content-Type: text/html; charset=iso-8859-1
>
>###########################################################
>
>
>Can someone point me in the way to determine the rule number so I can exclude this from the installation?
>
>Thanks,
>-- 
> 
>Steve
> 
>
>_______________________________________________
>Modsecurity mailing list
>Modsecurity@gotroot.com
>http://lists.gotroot.com/mailman/listinfo/modsecurity
>
From dan at half-asleep.com  Tue May  2 09:32:45 2006
From: dan at half-asleep.com (Daniel Segall)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] Specific False Positive using SugarCRM
In-Reply-To: <T03amXak.1146576442.4171390.worlock@half-asleep.com>
Message-ID: <Hmwv20Ht.1146576765.4581100.worlock@half-asleep.com>


I'm sorry, I just reread that... I see what you are saying.

The rule that is being triggered is what I pasted. I usually just grep a
piece of it in /etc/modsecurity, then vim that file and find/comment out
the rule like:
grep meridia /etc/modsecurity/*
/etc/modsecurity/blacklist.conf:SecFilterSelective HTTP_Referer|ARGS
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}"

-Dan


On 5/2/2006, "Daniel Segall" <dan@half-asleep.com> wrote:

>
>The log that you copied is a valid trigger for drug spam. This has
>nothing to do with the CRM itself.
>
>>mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
>>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD
>
>-Dan
>
>
>On 5/2/2006, "Steve Cox" <Steve.Cox@mergermarket.com> wrote:
>
>>Hi,
>>
>>I'm getting a specific false positive using the mod_security rules - when running the SugarCRM system on Apache2.
>>
>>The false positive looks something specific here so I'm looking to create a local exception of the format:
>>
>><LocationMatch "/sugarcrm/index.php">
>>   SecFilterRemove xxxxxx
>></LocationMatch>
>>
>>But I don't know how to ascertain the rule number for the SecFilterRemove line.
>>
>>The reason for the false positive firing is that a user was entering CRm details on an account called something like: 'Meridian Inc'.
>>
>>The mod_security blacklist rule picked up Meridian as Meridia and blocked it.
>>
>>The audit_log entry is:
>>
>>###################################################################
>>
>>
>>Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST /sugarcrm/index.php HTTP/1.1" 500 342
>>Handler: (null)
>>----------------------------------------
>>POST /sugarcrm/index.php HTTP/1.1
>>Host: crm.mergermarket.com
>>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
>>Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>>Accept-Language: en-gb,en;q=0.5
>>Accept-Encoding: gzip,deflate
>>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>Keep-Alive: 300
>>Connection: keep-alive
>>Referer: https://crm.mergermarket.com/sugarcrm/index.php
>>Cookie: Meetings_divs=contacts_v%3Dinline%23; ck_login_id_20=xxxxxxxx-xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite; Calls_divs=users_v%3Dinline%2
>>3contacts_v%3Dinline%23; ck_login_language_20=en_us; Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true; ck_lastview=true; showLeftCol=true; ck_record=true
>>; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
>>Content-Type: application/x-www-form-urlencoded
>>Content-Length: 992
>>mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
>>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD
>>mod_security-action: 500
>>
>>992
>>module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id= xxxxxxxx-xxxxxxx-xxxxx-xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phone_officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_fax=&pare
>>nt_name=&parent_id=&email1=&industry=&etcetcetc
>>
>>HTTP/1.1 500 Internal Server Error
>>Vary: Accept-Encoding
>>Content-Encoding: gzip
>>Content-Length: 342
>>Connection: close
>>Content-Type: text/html; charset=iso-8859-1
>>
>>###########################################################
>>
>>
>>Can someone point me in the way to determine the rule number so I can exclude this from the installation?
>>
>>Thanks,
>>-- 
>> 
>>Steve
>> 
>>
>>_______________________________________________
>>Modsecurity mailing list
>>Modsecurity@gotroot.com
>>http://lists.gotroot.com/mailman/listinfo/modsecurity
>>
>_______________________________________________
>Modsecurity mailing list
>Modsecurity@gotroot.com
>http://lists.gotroot.com/mailman/listinfo/modsecurity
>

-Dan
From gerard at whitecurve.com  Tue May  2 09:39:09 2006
From: gerard at whitecurve.com (Gerard Earley)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] Need help with phpnuke false positive
Message-ID: <445760FD.8080501@whitecurve.com>

I;m getting quite a lot of false positives with a particular site
running phpnuke and phpBB.

The actual log entry for the FP is



--74cc8768-A--
[02/May/2006:06:48:33 +0100] uLFUJdmgTNIAADAdndYAAAAZ 86.130.26.15 4175
212.227.78.130 80
--74cc8768-B--
POST /modules.php?name=Forums&file=posting HTTP/1.1
Host: www.bsminstructoracademy.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)
Accept:
application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://www.DOMAINNAME.co.uk/modules.php?name=Forums&file=posting&mode=reply&t=1293
Cookie: lang=english;
user=NTkyOm5pZ2VsX2FsbGVydG9uOmUxZmExMWIyMjlkYmFmZjBjOTQzYTM3NGE1OThmYmE2OjEwOjowOjA6MDowOjo0MDk2;
phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3
A6%3A%22userid%22%3Bs%3A3%3A%22592%22%3B%7D;
AWSUSER_ID=awsuser_id1146488586549r9026;
AWSSESSION_ID=awssession_id1146548072856r9621;
phpbb2mysql_sid=9516de4012f41a4bc88d5b8ba10ccef6; phpbb2mysql_t=a
%3A6%3A%7Bi%3A1298%3Bi%3A1146548080%3Bi%3A1288%3Bi%3A1146548326%3Bi%3A1294%3Bi%3A1146548680%3Bi%3A1292%3Bi%3A1146548686%3Bi%3A1299%3Bi%3A1146548704%3Bi%3A1293%3Bi%3A1146548747%3B%7D
Content-Type: application/x-www-form-urlencoded
Content-Length: 373

--74cc8768-C--
subject=&addbbcode18=%23003366&addbbcode20=12&helpbox=Tip%3A+Styles+can+be+applied+quickly+to+selected+text.&message=There+is+a+breakdown+van+in+Swindon+with+Norwich+Union+livery+on+it.++I+think+it+
has+been+around+from+before+the+takeover.++Presumably+NU+tried+to+get+into+the+breakdown+market+before+the+RAC+became+available.%0D%0A%0D%0ANigel&mode=reply&t=1293&post=Submit
--74cc8768-F--
HTTP/1.1 403 Forbidden
Last-Modified: Mon, 05 Dec 2005 17:35:40 GMT
ETag: "1e069fea-628-59027300"
Accept-Ranges: bytes
Content-Length: 1576
Connection: close
Content-Type: text/html

--74cc8768-H--
Message: Access denied with code 403. Pattern match
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"
at POST_PAYLOAD [id "300016"] [rev "1"] [msg "Generic SQL inj
ection protection"] [severity "CRITICAL"]
Action: Intercepted (403)
Apache-Handler: php-script
Stopwatch: 1146548913263653 48820 (41620* 42866 -)
Producer: ModSecurity v1.9.4-rc1 (Apache 2.x)
Server: Apache/2.0.53 (Fedora) mod_perl/1.99_16 Perl/v5.8.5 DAV/2
mod_python/3.1.3 Python/2.3.4 mod_ssl/2.0.53 OpenSSL/0.9.7a
FrontPage/5.0.2.2635

--74cc8768-Z--


its triggering rule 300016 from rules.conf which is
SecFilterSelective ARGS
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"
"id:300016,rev:1,severity:2,msg:'Generic SQL injection protection'"


now i thought i'd entered some suitable exclusions to the rules with
these two additions listed below but they seem not to work, any ideas
anyone?


<Location /modules.php?name=Forums&file=posting>
SecFilterRemove 300016
</Location>

<Location /modules.php?name=Private_Messages&file=index>
SecFilterRemove 300016
</Location>



Many tanks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3326 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060502/343b4107/smime.bin
From Steve.Cox at mergermarket.com  Tue May  2 09:43:55 2006
From: Steve.Cox at mergermarket.com (Steve Cox)
Date: Mon Jan  7 18:22:31 2008
Subject: [BULK]  Re: [Modsecurity] Specific False Positive using SugarCRM
Message-ID: <F4992F986DA01540987CB941A13635F60216B861@gbr-lon-msg01.copse.mmforest.com>

Yes - I know - but the trigger was caused by a CRM user editing and
submitting a form for a customer called Meridian (picked up by the
meridian filter).

Now, with any such system, it could be triggered by just including a
spam sequence string in the form. So it is not a false positive in
general, but if for this installation instance.

I cut/obscurificated some of the URL from the log - not ideal in such a
report, but necessary I'm afraid as it includes personal contact
details, phone numbers for a customer. But the URL is a post into the
CRM system with the appropriate details that have been entered by a user
locally.

That was why I was asking on the best way to identify the rule's id so I
can exclude it locally in this installation.

Thanks,

Steve

> -----Original Message-----
> From: modsecurity-bounces@gotroot.com [mailto:modsecurity-
> bounces@gotroot.com] On Behalf Of Daniel Segall
> Sent: 02 May 2006 14:27
> To: modsecurity@gotroot.com
> Subject: [BULK] Re: [Modsecurity] Specific False Positive using
SugarCRM
> Importance: Low
> 
> 
> The log that you copied is a valid trigger for drug spam. This has
> nothing to do with the CRM itself.
> 
> >mod_security-message: Access denied with code 500. Pattern match
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylprop
>
>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\
-
> _.]*\.[a-z]{2,}" at POST_PAYLOAD
> 
> -Dan
> 
> 
> On 5/2/2006, "Steve Cox" <Steve.Cox@mergermarket.com> wrote:
> 
> >Hi,
> >
> >I'm getting a specific false positive using the mod_security rules -
when
> running the SugarCRM system on Apache2.
> >
> >The false positive looks something specific here so I'm looking to
create
> a local exception of the format:
> >
> ><LocationMatch "/sugarcrm/index.php">
> >   SecFilterRemove xxxxxx
> ></LocationMatch>
> >
> >But I don't know how to ascertain the rule number for the
SecFilterRemove
> line.
> >
> >The reason for the false positive firing is that a user was entering
CRm
> details on an account called something like: 'Meridian Inc'.
> >
> >The mod_security blacklist rule picked up Meridian as Meridia and
blocked
> it.
> >
> >The audit_log entry is:
> >
> >###################################################################
> >
> >
> >Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST
> /sugarcrm/index.php HTTP/1.1" 500 342
> >Handler: (null)
> >----------------------------------------
> >POST /sugarcrm/index.php HTTP/1.1
> >Host: crm.mergermarket.com
> >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.8.0.2)
> Gecko/20060308 Firefox/1.5.0.2
> >Accept:
>
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;
> q=0.8,image/png,*/*;q=0.5
> >Accept-Language: en-gb,en;q=0.5
> >Accept-Encoding: gzip,deflate
> >Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> >Keep-Alive: 300
> >Connection: keep-alive
> >Referer: https://crm.mergermarket.com/sugarcrm/index.php
> >Cookie: Meetings_divs=contacts_v%3Dinline%23;
ck_login_id_20=xxxxxxxx-
> xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite;
> Calls_divs=users_v%3Dinline%2
> >3contacts_v%3Dinline%23; ck_login_language_20=en_us;
> Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true;
ck_lastview=true;
> showLeftCol=true; ck_record=true
> >; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
> >Content-Type: application/x-www-form-urlencoded
> >Content-Length: 992
> >mod_security-message: Access denied with code 500. Pattern match
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylprop
>
>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\
-
> _.]*\.[a-z]{2,}" at POST_PAYLOAD
> >mod_security-action: 500
> >
> >992
> >module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-
> xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id=
> xxxxxxxx-xxxxxxx-xxxxx-
>
xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phon
e_
>
officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_
fa
> x=&pare
> >nt_name=&parent_id=&email1=&industry=&etcetcetc
> >
> >HTTP/1.1 500 Internal Server Error
> >Vary: Accept-Encoding
> >Content-Encoding: gzip
> >Content-Length: 342
> >Connection: close
> >Content-Type: text/html; charset=iso-8859-1
> >
> >###########################################################
> >
> >
> >Can someone point me in the way to determine the rule number so I can
> exclude this from the installation?
> >
> >Thanks,
> >--
> >
> >Steve
> >
> >
> >_______________________________________________
> >Modsecurity mailing list
> >Modsecurity@gotroot.com
> >http://lists.gotroot.com/mailman/listinfo/modsecurity
> >
> _______________________________________________
> Modsecurity mailing list
> Modsecurity@gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity


From Steve.Cox at mergermarket.com  Tue May  2 09:47:49 2006
From: Steve.Cox at mergermarket.com (Steve Cox)
Date: Mon Jan  7 18:22:31 2008
Subject: [BULK]  Re: [Modsecurity] Specific False Positive using SugarCRM
Message-ID: <F4992F986DA01540987CB941A13635F60216B862@gbr-lon-msg01.copse.mmforest.com>

Thanks,

The thing is I would like to keep that rule in place, just ignore it if
submitted from that particular URL. The reason why is that I'm guessing
that there will be a large number of local false positives with such CRM
posts. If I can get these ignored for the posting URL specifically,
it'll be much better than dropping a lot of the spam protection from the
whole server.

Much appreciated.



> -----Original Message-----
> From: modsecurity-bounces@gotroot.com [mailto:modsecurity-
> bounces@gotroot.com] On Behalf Of Daniel Segall
> Sent: 02 May 2006 14:33
> To: modsecurity@gotroot.com
> Subject: [BULK] Re: [Modsecurity] Specific False Positive using
SugarCRM
> Importance: Low
> 
> 
> I'm sorry, I just reread that... I see what you are saying.
> 
> The rule that is being triggered is what I pasted. I usually just grep
a
> piece of it in /etc/modsecurity, then vim that file and find/comment
out
> the rule like:
> grep meridia /etc/modsecurity/*
> /etc/modsecurity/blacklist.conf:SecFilterSelective HTTP_Referer|ARGS
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylpropion|viagra|lisinopril|vig-
> ?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}"
> 
> -Dan
> 
> 
> On 5/2/2006, "Daniel Segall" <dan@half-asleep.com> wrote:
> 
> >
> >The log that you copied is a valid trigger for drug spam. This has
> >nothing to do with the CRM itself.
> >
> >>mod_security-message: Access denied with code 500. Pattern match
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylprop
>
>>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w
\-
> _.]*\.[a-z]{2,}" at POST_PAYLOAD
> >
> >-Dan
> >
> >
> >On 5/2/2006, "Steve Cox" <Steve.Cox@mergermarket.com> wrote:
> >
> >>Hi,
> >>
> >>I'm getting a specific false positive using the mod_security rules -
> when running the SugarCRM system on Apache2.
> >>
> >>The false positive looks something specific here so I'm looking to
> create a local exception of the format:
> >>
> >><LocationMatch "/sugarcrm/index.php">
> >>   SecFilterRemove xxxxxx
> >></LocationMatch>
> >>
> >>But I don't know how to ascertain the rule number for the
> SecFilterRemove line.
> >>
> >>The reason for the false positive firing is that a user was entering
CRm
> details on an account called something like: 'Meridian Inc'.
> >>
> >>The mod_security blacklist rule picked up Meridian as Meridia and
> blocked it.
> >>
> >>The audit_log entry is:
> >>
> >>###################################################################
> >>
> >>
> >>Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST
> /sugarcrm/index.php HTTP/1.1" 500 342
> >>Handler: (null)
> >>----------------------------------------
> >>POST /sugarcrm/index.php HTTP/1.1
> >>Host: crm.mergermarket.com
> >>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB;
rv:1.8.0.2)
> Gecko/20060308 Firefox/1.5.0.2
> >>Accept:
>
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;
> q=0.8,image/png,*/*;q=0.5
> >>Accept-Language: en-gb,en;q=0.5
> >>Accept-Encoding: gzip,deflate
> >>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> >>Keep-Alive: 300
> >>Connection: keep-alive
> >>Referer: https://crm.mergermarket.com/sugarcrm/index.php
> >>Cookie: Meetings_divs=contacts_v%3Dinline%23;
ck_login_id_20=xxxxxxxx-
> xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite;
> Calls_divs=users_v%3Dinline%2
> >>3contacts_v%3Dinline%23; ck_login_language_20=en_us;
> Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true;
ck_lastview=true;
> showLeftCol=true; ck_record=true
> >>; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
> >>Content-Type: application/x-www-form-urlencoded
> >>Content-Length: 992
> >>mod_security-message: Access denied with code 500. Pattern match
>
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitr
ip
> tyline|diethylprop
>
>>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w
\-
> _.]*\.[a-z]{2,}" at POST_PAYLOAD
> >>mod_security-action: 500
> >>
> >>992
> >>module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-
> xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id=
> xxxxxxxx-xxxxxxx-xxxxx-
>
xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phon
e_
>
officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_
fa
> x=&pare
> >>nt_name=&parent_id=&email1=&industry=&etcetcetc
> >>
> >>HTTP/1.1 500 Internal Server Error
> >>Vary: Accept-Encoding
> >>Content-Encoding: gzip
> >>Content-Length: 342
> >>Connection: close
> >>Content-Type: text/html; charset=iso-8859-1
> >>
> >>###########################################################
> >>
> >>
> >>Can someone point me in the way to determine the rule number so I
can
> exclude this from the installation?
> >>
> >>Thanks,
> >>--
> >>
> >>Steve
> >>
> >>
> >>_______________________________________________
> >>Modsecurity mailing list
> >>Modsecurity@gotroot.com
> >>http://lists.gotroot.com/mailman/listinfo/modsecurity
> >>
> >_______________________________________________
> >Modsecurity mailing list
> >Modsecurity@gotroot.com
> >http://lists.gotroot.com/mailman/listinfo/modsecurity
> >
> 
> -Dan
> _______________________________________________
> Modsecurity mailing list
> Modsecurity@gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity


From eric.mar at prodeb.gov.br  Tue May  2 09:55:14 2006
From: eric.mar at prodeb.gov.br (Eric Marins)
Date: Mon Jan  7 18:22:31 2008
Subject: *****SPAM***** LOW *  Re: [Modsecurity] Specific False Positive using
	SugarCRM
References: <F4992F986DA01540987CB941A13635F60216B85F@gbr-lon-msg01.copse.mmforest.com>
Message-ID: <008501c66df0$09cc9960$2d10020a@cosop71>

Locate the rule with problem and append  "id:80,rev:2,severity:2,msg:'My 
block 80'"

Example: (your rule will be)
SecFilterSelective HTTP_Referer|ARGS 
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" 
"id:80,rev:2,severity:2,msg:'My block 80'"

and after change your policy to

<LocationMatch "/sugarcrm/index.php">
   SecFilterRemove 80
</LocationMatch>


----- Original Message ----- 
From: "Steve Cox" <Steve.Cox@mergermarket.com>
To: <modsecurity@gotroot.com>
Sent: Tuesday, May 02, 2006 9:19 AM
Subject: [Modsecurity] Specific False Positive using SugarCRM


Hi,

I'm getting a specific false positive using the mod_security rules - when 
running the SugarCRM system on Apache2.

The false positive looks something specific here so I'm looking to create a 
local exception of the format:

<LocationMatch "/sugarcrm/index.php">
   SecFilterRemove xxxxxx
</LocationMatch>

But I don't know how to ascertain the rule number for the SecFilterRemove 
line.

The reason for the false positive firing is that a user was entering CRm 
details on an account called something like: 'Meridian Inc'.

The mod_security blacklist rule picked up Meridian as Meridia and blocked 
it.

The audit_log entry is:

###################################################################


Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST 
/sugarcrm/index.php HTTP/1.1" 500 342
Handler: (null)
----------------------------------------
POST /sugarcrm/index.php HTTP/1.1
Host: crm.mergermarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2) 
Gecko/20060308 Firefox/1.5.0.2
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://crm.mergermarket.com/sugarcrm/index.php
Cookie: Meetings_divs=contacts_v%3Dinline%23; 
ck_login_id_20=xxxxxxxx-xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite; 
Calls_divs=users_v%3Dinline%2
3contacts_v%3Dinline%23; ck_login_language_20=en_us; 
Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true; ck_lastview=true; 
showLeftCol=true; ck_record=true
; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
Content-Type: application/x-www-form-urlencoded
Content-Length: 992
mod_security-message: Access denied with code 500. Pattern match 
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" 
at POST_PAYLOAD
mod_security-action: 500

992
module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id= 
xxxxxxxx-xxxxxxx-xxxxx-xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phone_officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_fax=&pare
nt_name=&parent_id=&email1=&industry=&etcetcetc

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 342
Connection: close
Content-Type: text/html; charset=iso-8859-1

###########################################################


Can someone point me in the way to determine the rule number so I can 
exclude this from the installation?

Thanks,
-- 

Steve


_______________________________________________
Modsecurity mailing list
Modsecurity@gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity

From chrisholloway at thumbtechs.com  Tue May  2 14:51:25 2006
From: chrisholloway at thumbtechs.com (Chris Holloway)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] modseucirty false positive phpmyadmin
Message-ID: <4457AA2D.3050209@thumbtechs.com>

Hello,

I am seeking help, I just added mod_security and the gotroot rules last 
week.  I have come across one false positive when I use phpmadmin, when 
I select browse, I will get an error that says I am not allowed to 
access sql.php

Here is the log:

Request: sqladmin.thumbtechs.net 216.212.52.98 - - [02/May/2006:11:34:58 
--0500] "GE
T 
/sql.php?lang=en-utf-8&server=1&collation_connection=utf8_general_ci&db=thumbtechs
&table=contact&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&s
ql_query=SELECT+%2A+FROM+%60contact%60&pos=0 HTTP/1.1" 403 209 
"http://sqladmin.thum
btechs.net/tbl_properties_structure.php?lang=en-utf-8&server=1&collation_connection=
utf8_general_ci&db=thumbtechs&table=contact" "Mozilla/4.0 (compatible; 
MSIE 6.0; Win
dows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 
wH8@Z38AAAEAABT8AxEAAAAh "
-"
Handler: php5-script
----------------------------------------
GET 
/sql.php?lang=en-utf-8&server=1&collation_connection=utf8_general_ci&db=thumbtec
hs&table=contact&goto=tbl_properties_structure.php&back=tbl_properties_structure.php
&sql_query=SELECT+%2A+FROM+%60contact%60&pos=0 HTTP/1.1
Accept: */*
Referer: 
http://sqladmin.thumbtechs.net/tbl_properties_structure.php?lang=en-utf-8&s
erver=1&collation_connection=utf8_general_ci&db=thumbtechs&table=contact
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.432
2; .NET CLR 2.0.50727)
Host: sqladmin.thumbtechs.net
Connection: Keep-Alive
Cookie: pma_theme=original; pma_collation_connection=utf8_general_ci; 
pma_lang=en-ut
f-8; pma_charset=iso-8859-1
Authorization: Basic cm9vdDpJY2FuU1BFTExnb29k
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match 
"(insert[[:space:]]
+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" at 
QUERY_STRING [i
d "300016"] [rev "1"] [msg "Generic SQL injection protection"] [severity 
"CRITICAL"]

HTTP/1.1 403 Forbidden
Content-Length: 209
Connection: close
Content-Type: text/html; charset=iso-8859-1
--4fedcf00--
From quien-sabe at metaorg.com  Tue May  2 20:42:34 2006
From: quien-sabe at metaorg.com (Who Knows)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] modseucirty false positive phpmyadmin
In-Reply-To: <4457AA2D.3050209@thumbtechs.com>
References: <4457AA2D.3050209@thumbtechs.com>
Message-ID: <4457FC7A.7070103@metaorg.com>

Chris Holloway wrote:
> Hello,
>
> I am seeking help, I just added mod_security and the gotroot rules 
> last week.  I have come across one false positive when I use 
> phpmadmin, when I select browse, I will get an error that says I am 
> not allowed to access sql.php
In my opinion there is a MAJOR problem with rule 300016 to start with. 
It is much to severe. The rule as I read it

 "(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" 
at POST_PAYLOAD [id "300016"] [rev "1"] [msg "Generic SQL injection 
protection"] [severity "CRITICAL"]

will trigger any time a post  is made with text that includes the chars 
"select" followed at some point later in the post by the  chars "from". 
Notice I said chars because I just took a hit where the select was part 
of the a variable &postimageselect=97 and later in the post was the word 
from.

I want to be secure, but I also want to allow users a rich user experience.

Besides personally I don't see even how a malicious select is going to 
do much harm.

My $0.02.

Jim



From quien-sabe at metaorg.com  Sun May  7 15:01:02 2006
From: quien-sabe at metaorg.com (Who Knows)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] Help with falase positive please
Message-ID: <445E43EE.8000605@metaorg.com>

I attempted to reply to a PNphpBB@ forum message with the following 
contents:
"the word from working in quick reply does it work here too?"
The audit record and rule are shown below.
It is easy to see why rule 300016 triggered, because any post reply to 
the PNphpBB2 postnuke forum will trigger 300016 if it contains the word 
or sequence of characters "from".

What I don't understand is why it reached rule 300016 intially since 
rule 300015 chains to 300016.
Doesn't that mean rule 300016 is only evaluated if rule 300015 is a hit? 
Or am I simply mistaken?

There is an exculsion in exclude.conf:
#PhpBB posting
<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
SecFilterRemove 300013
</LocationMatch>

I changed it to:
#PhpBB posting
<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
SecFilterRemove 300013
SecFilterRemove 300016
</LocationMatch>

And I am still getting the audit hits. I expect the Location match 
syntax isn't
right, and I am continuing to test, but if anyone has some words of 
wisdom I would apppreciate it.
I already had to turn security off for one entire virtual host until I 
resolve this issue.

Regards,
Jim

==9f49fb77==============================
Request: www.nameobscured.com 67.135.233.237 - - [07/May/2006:14:12:48 
--0400] "POST /html/index.php?name=PNphpBB2&file=posting HTTP/1.1" 406 
399 
"http://www.nameobscured.com/html/index.php?name=PNphpBB2&file=posting&mode=reply&t=5813" 
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.2) Gecko/20060419 
Fedora/1.5.0.2-1.2.fc5 Firefox/1.5.0.2 pango-text" 
s5EvS0Ik8xIAAGNXlmoAAAAW "-"
----------------------------------------
POST /html/index.php?name=PNphpBB2&file=posting HTTP/1.1
Host: www.nameobscured.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.2) 
Gecko/20060419 Fedora/1.5.0.2-1.2.fc5 Firefox/1.5.0.2 pango-text
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: 
http://www.nameobscured.com/html/index.php?name=PNphpBB2&file=posting&mode=reply&t=5813
Cookie: POSTNUKESID=28e5cdad8dfb0f6feabd27c3ce940e32; 
pnphpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A5%3A%2224958%22%3B%7D; 
pnphpbb2mysql_sid=44b37ed7fbb88ad6683e54cd75740ea0; 
pnphpbb2mysql_t=a%3A1%3A%7Bi%3A5813%3Bi%3A1147023795%3B%7D
Content-Type: application/x-www-form-urlencoded
Content-Length: 229
mod_security-action: 406
mod_security-message: Access denied with code 406. Pattern match 
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" 
at POST_PAYLOAD [id "300016"] [rev "1"] [msg "Generic SQL injection 
protection"] [severity "CRITICAL"]

229
subject=&postimageselect=NONE&addbbcode18=%23444444&addbbcode20=12&helpbox=Tip%3A+Styles+can+be+applied+quickly+to+selected+text.&message=the+word+from+working+in+quick+reply+does+it+work+here+too%3F&mode=reply&t=5813&post=Submit

HTTP/1.1 406 Not Acceptable
Content-Length: 399
Connection: close
Content-Type: text/html; charset=iso-8859-1
--9f49fb77--

The rule(s) that hit are:
#Generic SQL sigs
SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 
1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection 
protection'"
SecFilterSelective ARGS 
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" 
"id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilterSelective REQUEST_URI "!(/forum/posting\.php)" 
"chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilterSelective ARGS 
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" 


From quien-sabe at metaorg.com  Sun May  7 15:09:53 2006
From: quien-sabe at metaorg.com (Who Knows)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] Help with falase positive please
In-Reply-To: <445E43EE.8000605@metaorg.com>
References: <445E43EE.8000605@metaorg.com>
Message-ID: <445E4601.9010207@metaorg.com>

Who Knows wrote:
> I attempted to reply to a PNphpBB@ forum message with the following 
> contents:
> "the word from working in quick reply does it work here too?"
> The audit record and rule are shown below.
> It is easy to see why rule 300016 triggered, because any post reply to 
> the PNphpBB2 postnuke forum will trigger 300016 if it contains the 
> word or sequence of characters "from".
>
> What I don't understand is why it reached rule 300016 intially since 
> rule 300015 chains to 300016.
> Doesn't that mean rule 300016 is only evaluated if rule 300015 is a 
> hit? Or am I simply mistaken?
>
> There is an exculsion in exclude.conf:
> #PhpBB posting
> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
> SecFilterRemove 300013
> </LocationMatch>
>
> I changed it to:
> #PhpBB posting
> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
> SecFilterRemove 300013
> SecFilterRemove 300016
> </LocationMatch>
>
> And I am still getting the audit hits. I expect the Location match 
> syntax isn't
> right, and I am continuing to test, but if anyone has some words of 
> wisdom I would apppreciate it.
> I already had to turn security off for one entire virtual host until I 
> resolve this issue.
Okay, I found the answer to the LocationMatch issue ( i think ), but if 
my answer is correct many of the
current exclusions are not working and we'll find it quite difficult to 
create precise exclusions. According
to a post regarding LocationMatch in another problematic expression it 
was noted that,
"<LocationMatch> directive does not look at the query string as part of 
the URL" therefore the above
and MANY other exclusions are not working.

From quien-sabe at metaorg.com  Sun May  7 16:29:28 2006
From: quien-sabe at metaorg.com (Who Knows)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] Help with falase positive please
In-Reply-To: <445E4601.9010207@metaorg.com>
References: <445E43EE.8000605@metaorg.com> <445E4601.9010207@metaorg.com>
Message-ID: <445E58A8.3050602@metaorg.com>

Who Knows wrote:
> Who Knows wrote:
>> I attempted to reply to a PNphpBB@ forum message with the following 
>> contents:
>> "the word from working in quick reply does it work here too?"
>> The audit record and rule are shown below.
>> It is easy to see why rule 300016 triggered, because any post reply 
>> to the PNphpBB2 postnuke forum will trigger 300016 if it contains the 
>> word or sequence of characters "from".
>>
>> What I don't understand is why it reached rule 300016 intially since 
>> rule 300015 chains to 300016.
>> Doesn't that mean rule 300016 is only evaluated if rule 300015 is a 
>> hit? Or am I simply mistaken?
>>
>> There is an exculsion in exclude.conf:
>> #PhpBB posting
>> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
>> SecFilterRemove 300013
>> </LocationMatch>
>>
>> I changed it to:
>> #PhpBB posting
>> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
>> SecFilterRemove 300013
>> SecFilterRemove 300016
>> </LocationMatch>
>>
>> And I am still getting the audit hits. I expect the Location match 
>> syntax isn't
>> right, and I am continuing to test, but if anyone has some words of 
>> wisdom I would apppreciate it.
>> I already had to turn security off for one entire virtual host until 
>> I resolve this issue.
> Okay, I found the answer to the LocationMatch issue ( i think ), but 
> if my answer is correct many of the
> current exclusions are not working and we'll find it quite difficult 
> to create precise exclusions. According
> to a post regarding LocationMatch in another problematic expression it 
> was noted that,
> "<LocationMatch> directive does not look at the query string as part 
> of the URL" therefore the above
> and MANY other exclusions are not working.
>
Okay I have the rule fixed for this instance using the rules.patch
below. The only problem is that I know
there is at least one other ! uri that must be added. How are we going
to manage these more complex
exclustions?

I again raise my objections to such a restrictive rule. If the part that
is currently:

|select.+from|

Was changed to:

|[[:space:]]select[[:space:]].+[[:space:]]from[[:space:]]|

The exclusion url above would at lease require the two words to be in a
post before hitting.

the patch:
--- rules.conf.orig	2006-05-07 12:18:26.000000000 -0700
+++ rules.conf	2006-05-07 13:11:23.000000000 -0700
@@ -124,7 +124,7 @@
  #Generic SQL sigs
  SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 
1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection 
protection'"
  SecFilterSelective ARGS 
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" 
"id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
-SecFilterSelective REQUEST_URI "!(/forum/posting\.php)" 
"chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection protection'"
+SecFilterSelective REQUEST_URI 
"!(/forum/posting\.php)|(/html/index\.php\?name=PNphpBB2&file=posting)" 
"chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection protection'"
  SecFilterSelective ARGS 
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" 




regards for now,
ji




From quien-sabe at metaorg.com  Sun May  7 17:25:00 2006
From: quien-sabe at metaorg.com (Who Knows)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] another rule based exclusion for postnuke
Message-ID: <445E65AC.9090100@metaorg.com>

The patch below provides an exclusion to allow posting javascript in 
postnuke admin messages.

i could not get it any better for matching than admin.php

You can see my audit record at: http://www.wtfo-guru.com/pub/auditentry1.bz2

Please note the entry may contain mature content by your standards.

My patch is:
--- rules.conf.orig    2006-05-07 12:18:26.000000000 -0700
+++ rules.conf    2006-05-07 14:04:25.000000000 -0700
@@ -445,7 +445,7 @@
 
 #cross site scripting stealth attempt to execute Javascript code
 #may false alarm for some language sets
-SecFilterSelective REQUEST_URI 
"!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" 
chain
+SecFilterSelective REQUEST_URI 
"!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=|/admin\.php)" 
chain
 SecFilter 
"(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"
 
 #cross site scripting HTML Image tag set to javascript attempt

From mike at gotroot.com  Mon May 15 09:52:50 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:31 2008
Subject: [Modsecurity] New releases
Message-ID: <1147701170.5660.2.camel@localhost.localdomain>

Actually quite a few over the weekend, just havent had time to finish
the diffs yet.  Some of these include new signatures for some very
popular applications that have known vulnerabilities in, to include
SugarCRM.  Please let me know if you have any problems with the latest
signatures.

Full automation of this process is coming soon.  Something more like
clamav's update process, and yep you will be able to define your
rulesets so that new rules don't clobber ones you modify or turn off.
Will still be some time before that is finished, but the code is coming
along nicely.

RBLs will be supported officially as soon as 2.0 is out of dev, at the
very least badips.conf will be gone.  Its in RBL form now, so if you
want to use the RBL, yet me know.  Keep in mind the 2.0 code may have
bugs.

-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com