[Modsecurity] Specific False Positive using SugarCRM
Daniel Segall
dan at half-asleep.com
Tue May 2 09:27:22 EDT 2006
The log that you copied is a valid trigger for drug spam. This has
nothing to do with the CRM itself.
>mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD
-Dan
On 5/2/2006, "Steve Cox" <Steve.Cox at mergermarket.com> wrote:
>Hi,
>
>I'm getting a specific false positive using the mod_security rules - when running the SugarCRM system on Apache2.
>
>The false positive looks something specific here so I'm looking to create a local exception of the format:
>
><LocationMatch "/sugarcrm/index.php">
> SecFilterRemove xxxxxx
></LocationMatch>
>
>But I don't know how to ascertain the rule number for the SecFilterRemove line.
>
>The reason for the false positive firing is that a user was entering CRm details on an account called something like: 'Meridian Inc'.
>
>The mod_security blacklist rule picked up Meridian as Meridia and blocked it.
>
>The audit_log entry is:
>
>###################################################################
>
>
>Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST /sugarcrm/index.php HTTP/1.1" 500 342
>Handler: (null)
>----------------------------------------
>POST /sugarcrm/index.php HTTP/1.1
>Host: crm.mergermarket.com
>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
>Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>Accept-Language: en-gb,en;q=0.5
>Accept-Encoding: gzip,deflate
>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>Keep-Alive: 300
>Connection: keep-alive
>Referer: https://crm.mergermarket.com/sugarcrm/index.php
>Cookie: Meetings_divs=contacts_v%3Dinline%23; ck_login_id_20=xxxxxxxx-xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite; Calls_divs=users_v%3Dinline%2
>3contacts_v%3Dinline%23; ck_login_language_20=en_us; Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true; ck_lastview=true; showLeftCol=true; ck_record=true
>; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
>Content-Type: application/x-www-form-urlencoded
>Content-Length: 992
>mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD
>mod_security-action: 500
>
>992
>module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id= xxxxxxxx-xxxxxxx-xxxxx-xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phone_officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_fax=&pare
>nt_name=&parent_id=&email1=&industry=&etcetcetc
>
>HTTP/1.1 500 Internal Server Error
>Vary: Accept-Encoding
>Content-Encoding: gzip
>Content-Length: 342
>Connection: close
>Content-Type: text/html; charset=iso-8859-1
>
>###########################################################
>
>
>Can someone point me in the way to determine the rule number so I can exclude this from the installation?
>
>Thanks,
>--
>
>Steve
>
>
>_______________________________________________
>Modsecurity mailing list
>Modsecurity at gotroot.com
>http://lists.gotroot.com/mailman/listinfo/modsecurity
>
More information about the Modsecurity
mailing list