*****SPAM***** LOW * Re: [Modsecurity] Specific False Positive using
SugarCRM
Eric Marins
eric.mar at prodeb.gov.br
Tue May 2 09:55:14 EDT 2006
Locate the rule with problem and append "id:80,rev:2,severity:2,msg:'My
block 80'"
Example: (your rule will be)
SecFilterSelective HTTP_Referer|ARGS
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylpropion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}"
"id:80,rev:2,severity:2,msg:'My block 80'"
and after change your policy to
<LocationMatch "/sugarcrm/index.php">
SecFilterRemove 80
</LocationMatch>
----- Original Message -----
From: "Steve Cox" <Steve.Cox at mergermarket.com>
To: <modsecurity at gotroot.com>
Sent: Tuesday, May 02, 2006 9:19 AM
Subject: [Modsecurity] Specific False Positive using SugarCRM
Hi,
I'm getting a specific false positive using the mod_security rules - when
running the SugarCRM system on Apache2.
The false positive looks something specific here so I'm looking to create a
local exception of the format:
<LocationMatch "/sugarcrm/index.php">
SecFilterRemove xxxxxx
</LocationMatch>
But I don't know how to ascertain the rule number for the SecFilterRemove
line.
The reason for the false positive firing is that a user was entering CRm
details on an account called something like: 'Meridian Inc'.
The mod_security blacklist rule picked up Meridian as Meridia and blocked
it.
The audit_log entry is:
###################################################################
Request: 69.64.x.x - - [28/Apr/2006:14:40:03 +0100] "POST
/sugarcrm/index.php HTTP/1.1" 500 342
Handler: (null)
----------------------------------------
POST /sugarcrm/index.php HTTP/1.1
Host: crm.mergermarket.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.2)
Gecko/20060308 Firefox/1.5.0.2
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://crm.mergermarket.com/sugarcrm/index.php
Cookie: Meetings_divs=contacts_v%3Dinline%23;
ck_login_id_20=xxxxxxxx-xxxxxxx-xxxxx-xxxx; ck_login_theme_20=SugarLite;
Calls_divs=users_v%3Dinline%2
3contacts_v%3Dinline%23; ck_login_language_20=en_us;
Users_divs=aclroles_v%3Dinline%23; ck_shortcuts=true; ck_lastview=true;
showLeftCol=true; ck_record=true
; PHPSESSID=9ff5cec1e37e310aecaacdb3dc7265bd
Content-Type: application/x-www-form-urlencoded
Content-Length: 992
mod_security-message: Access denied with code 500. Pattern match
"(silagra|morphine|ritalin|levitra|lolita|carisoprodol|phentermine|amitriptyline|diethylprop
ion|viagra|lisinopril|vig-?rx|zyban|valtex|xenical|adipex|meridia)+[\w\-_.]*\.[a-z]{2,}"
at POST_PAYLOAD
mod_security-action: 500
992
module=Accounts&record=xxxxxxxx-xxxxxxx-xxxxx-xxxx&action=Save&case_id=&bug_id=&return_module=Accounts&return_id=
xxxxxxxx-xxxxxxx-xxxxx-xxxx&return_action=DetailView&button=++Save++&name=Meridian+xxxxxxx&phone_officexxxxxxxxxxxx&website=http%3A%2F%2Fwww.meridianxxxxxx.xxxxxx&phone_fax=&pare
nt_name=&parent_id=&email1=&industry=&etcetcetc
HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 342
Connection: close
Content-Type: text/html; charset=iso-8859-1
###########################################################
Can someone point me in the way to determine the rule number so I can
exclude this from the installation?
Thanks,
--
Steve
_______________________________________________
Modsecurity mailing list
Modsecurity at gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity
More information about the Modsecurity
mailing list