[Modsecurity] Specific False Positive using SugarCRM
Steve Cox
Steve.Cox at mergermarket.com
Tue May 2 08:19:42 EDT 2006
Hi,
I'm getting a specific false positive using the mod_security rules - when running the SugarCRM system on Apache2.
The false positive looks something specific here so I'm looking to create a local exception of the format:
<LocationMatch "/sugarcrm/index.php">
SecFilterRemove xxxxxx
</LocationMatch>
But I don't know how to ascertain the rule number for the SecFilterRemove line.
The reason for the false positive firing is that a user was entering CRm details on an account called something like: 'Meridian Inc'.
The mod_security blacklist rule picked up Meridian as Meridia and blocked it.
The audit_log entry is:
###################################################################
Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST /sugarcrm/index.php HTTP/1.1" 500 342
Handler: (null)
----------------------------------------
POST /sugarcrm/index.php HTTP/1.1
Host: crm.mergermarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://crm.mergermarket.com/sugarcrm/index.php
Cookie: Meetings_divs=contacts_v%3Dinline%23; ck_login_id_20=xxxxxxxx-xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite; Calls_divs=users_v%3Dinline%2
3contacts_v%3Dinline%23; ck_login_language_20=en_us; Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true; ck_lastview=true; showLeftCol=true; ck_record=true
; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
Content-Type: application/x-www-form-urlencoded
Content-Length: 992
mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD
mod_security-action: 500
992
module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id= xxxxxxxx-xxxxxxx-xxxxx-xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phone_officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_fax=&pare
nt_name=&parent_id=&email1=&industry=&etcetcetc
HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 342
Connection: close
Content-Type: text/html; charset=iso-8859-1
###########################################################
Can someone point me in the way to determine the rule number so I can exclude this from the installation?
Thanks,
--
Steve
More information about the Modsecurity
mailing list