[Modsecurity] Specific False Positive using SugarCRM

Tue May 2 09:32:45 EDT 2006

I'm sorry, I just reread that... I see what you are saying.

The rule that is being triggered is what I pasted. I usually just grep a
piece of it in /etc/modsecurity, then vim that file and find/comment out
the rule like:
grep meridia /etc/modsecurity/*
/etc/modsecurity/blacklist.conf:SecFilterSelective HTTP_Referer|ARGS
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}"

-Dan

On 5/2/2006, "Daniel Segall" <dan at half-asleep.com> wrote:

>
>The log that you copied is a valid trigger for drug spam. This has
>nothing to do with the CRM itself.
>
>>mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
>>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD
>
>-Dan
>
>
>On 5/2/2006, "Steve Cox" <Steve.Cox at mergermarket.com> wrote:
>
>>Hi,
>>
>>I'm getting a specific false positive using the mod_security rules - when running the SugarCRM system on Apache2.
>>
>>The false positive looks something specific here so I'm looking to create a local exception of the format:
>>
>><LocationMatch "/sugarcrm/index.php">
>>   SecFilterRemove xxxxxx
>></LocationMatch>
>>
>>But I don't know how to ascertain the rule number for the SecFilterRemove line.
>>
>>The reason for the false positive firing is that a user was entering CRm details on an account called something like: 'Meridian Inc'.
>>
>>The mod_security blacklist rule picked up Meridian as Meridia and blocked it.
>>
>>The audit_log entry is:
>>
>>###################################################################
>>
>>
>>Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST /sugarcrm/index.php HTTP/1.1" 500 342
>>Handler: (null)
>>----------------------------------------
>>POST /sugarcrm/index.php HTTP/1.1
>>Host: crm.mergermarket.com
>>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
>>Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>>Accept-Language: en-gb,en;q=0.5
>>Accept-Encoding: gzip,deflate
>>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>>Keep-Alive: 300
>>Connection: keep-alive
>>Referer: https://crm.mergermarket.com/sugarcrm/index.php
>>Cookie: Meetings_divs=contacts_v%3Dinline%23; ck_login_id_20=xxxxxxxx-xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite; Calls_divs=users_v%3Dinline%2
>>3contacts_v%3Dinline%23; ck_login_language_20=en_us; Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true; ck_lastview=true; showLeftCol=true; ck_record=true
>>; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
>>Content-Type: application/x-www-form-urlencoded
>>Content-Length: 992
>>mod_security-message: Access denied with code 500. Pattern match "(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
>>ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}" at POST_PAYLOAD
>>mod_security-action: 500
>>
>>992
>>module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id= xxxxxxxx-xxxxxxx-xxxxx-xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phone_officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_fax=&pare
>>nt_name=&parent_id=&email1=&industry=&etcetcetc
>>
>>HTTP/1.1 500 Internal Server Error
>>Vary: Accept-Encoding
>>Content-Encoding: gzip
>>Content-Length: 342
>>Connection: close
>>Content-Type: text/html; charset=iso-8859-1
>>
>>###########################################################
>>
>>
>>Can someone point me in the way to determine the rule number so I can exclude this from the installation?
>>
>>Thanks,
>>-- 
>> 
>>Steve
>> 
>>
>>_______________________________________________
>>Modsecurity mailing list
>>Modsecurity at gotroot.com
>>http://lists.gotroot.com/mailman/listinfo/modsecurity
>>
>_______________________________________________
>Modsecurity mailing list
>Modsecurity at gotroot.com
>http://lists.gotroot.com/mailman/listinfo/modsecurity
>

-Dan