[Modsecurity] Need help with phpnuke false positive

Gerard Earley gerard at whitecurve.com
Tue May 2 09:39:09 EDT 2006 

I;m getting quite a lot of false positives with a particular site
running phpnuke and phpBB.

The actual log entry for the FP is



--74cc8768-A--
[02/May/2006:06:48:33 +0100] uLFUJdmgTNIAADAdndYAAAAZ 86.130.26.15 4175
212.227.78.130 80
--74cc8768-B--
POST /modules.php?name=Forums&file=posting HTTP/1.1
Host: www.bsminstructoracademy.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)
Accept:
application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://www.DOMAINNAME.co.uk/modules.php?name=Forums&file=posting&mode=reply&t=1293
Cookie: lang=english;
user=NTkyOm5pZ2VsX2FsbGVydG9uOmUxZmExMWIyMjlkYmFmZjBjOTQzYTM3NGE1OThmYmE2OjEwOjowOjA6MDowOjo0MDk2;
phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3
A6%3A%22userid%22%3Bs%3A3%3A%22592%22%3B%7D;
AWSUSER_ID=awsuser_id1146488586549r9026;
AWSSESSION_ID=awssession_id1146548072856r9621;
phpbb2mysql_sid=9516de4012f41a4bc88d5b8ba10ccef6; phpbb2mysql_t=a
%3A6%3A%7Bi%3A1298%3Bi%3A1146548080%3Bi%3A1288%3Bi%3A1146548326%3Bi%3A1294%3Bi%3A1146548680%3Bi%3A1292%3Bi%3A1146548686%3Bi%3A1299%3Bi%3A1146548704%3Bi%3A1293%3Bi%3A1146548747%3B%7D
Content-Type: application/x-www-form-urlencoded
Content-Length: 373

--74cc8768-C--
subject=&addbbcode18=%23003366&addbbcode20=12&helpbox=Tip%3A+Styles+can+be+applied+quickly+to+selected+text.&message=There+is+a+breakdown+van+in+Swindon+with+Norwich+Union+livery+on+it.++I+think+it+
has+been+around+from+before+the+takeover.++Presumably+NU+tried+to+get+into+the+breakdown+market+before+the+RAC+became+available.%0D%0A%0D%0ANigel&mode=reply&t=1293&post=Submit
--74cc8768-F--
HTTP/1.1 403 Forbidden
Last-Modified: Mon, 05 Dec 2005 17:35:40 GMT
ETag: "1e069fea-628-59027300"
Accept-Ranges: bytes
Content-Length: 1576
Connection: close
Content-Type: text/html

--74cc8768-H--
Message: Access denied with code 403. Pattern match
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"
at POST_PAYLOAD [id "300016"] [rev "1"] [msg "Generic SQL inj
ection protection"] [severity "CRITICAL"]
Action: Intercepted (403)
Apache-Handler: php-script
Stopwatch: 1146548913263653 48820 (41620* 42866 -)
Producer: ModSecurity v1.9.4-rc1 (Apache 2.x)
Server: Apache/2.0.53 (Fedora) mod_perl/1.99_16 Perl/v5.8.5 DAV/2
mod_python/3.1.3 Python/2.3.4 mod_ssl/2.0.53 OpenSSL/0.9.7a
FrontPage/5.0.2.2635

--74cc8768-Z--


its triggering rule 300016 from rules.conf which is
SecFilterSelective ARGS
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"
"id:300016,rev:1,severity:2,msg:'Generic SQL injection protection'"


now i thought i'd entered some suitable exclusions to the rules with
these two additions listed below but they seem not to work, any ideas
anyone?


<Location /modules.php?name=Forums&file=posting>
SecFilterRemove 300016
</Location>

<Location /modules.php?name=Private_Messages&file=index>
SecFilterRemove 300016
</Location>



Many tanks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3326 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060502/343b4107/smime.bin

More information about the Modsecurity mailing list