[Modsecurity] Help with falase positive please
Who Knows
quien-sabe at metaorg.com
Sun May 7 15:01:02 EDT 2006
I attempted to reply to a PNphpBB@ forum message with the following
contents:
"the word from working in quick reply does it work here too?"
The audit record and rule are shown below.
It is easy to see why rule 300016 triggered, because any post reply to
the PNphpBB2 postnuke forum will trigger 300016 if it contains the word
or sequence of characters "from".
What I don't understand is why it reached rule 300016 intially since
rule 300015 chains to 300016.
Doesn't that mean rule 300016 is only evaluated if rule 300015 is a hit?
Or am I simply mistaken?
There is an exculsion in exclude.conf:
#PhpBB posting
<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
SecFilterRemove 300013
</LocationMatch>
I changed it to:
#PhpBB posting
<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
SecFilterRemove 300013
SecFilterRemove 300016
</LocationMatch>
And I am still getting the audit hits. I expect the Location match
syntax isn't
right, and I am continuing to test, but if anyone has some words of
wisdom I would apppreciate it.
I already had to turn security off for one entire virtual host until I
resolve this issue.
Regards,
Jim
==9f49fb77==============================
Request: www.nameobscured.com 67.135.233.237 - - [07/May/2006:14:12:48
--0400] "POST /html/index.php?name=PNphpBB2&file=posting HTTP/1.1" 406
399
"http://www.nameobscured.com/html/index.php?name=PNphpBB2&file=posting&mode=reply&t=5813"
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.2) Gecko/20060419
Fedora/1.5.0.2-1.2.fc5 Firefox/1.5.0.2 pango-text"
s5EvS0Ik8xIAAGNXlmoAAAAW "-"
----------------------------------------
POST /html/index.php?name=PNphpBB2&file=posting HTTP/1.1
Host: www.nameobscured.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.2)
Gecko/20060419 Fedora/1.5.0.2-1.2.fc5 Firefox/1.5.0.2 pango-text
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://www.nameobscured.com/html/index.php?name=PNphpBB2&file=posting&mode=reply&t=5813
Cookie: POSTNUKESID=28e5cdad8dfb0f6feabd27c3ce940e32;
pnphpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A5%3A%2224958%22%3B%7D;
pnphpbb2mysql_sid=44b37ed7fbb88ad6683e54cd75740ea0;
pnphpbb2mysql_t=a%3A1%3A%7Bi%3A5813%3Bi%3A1147023795%3B%7D
Content-Type: application/x-www-form-urlencoded
Content-Length: 229
mod_security-action: 406
mod_security-message: Access denied with code 406. Pattern match
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"
at POST_PAYLOAD [id "300016"] [rev "1"] [msg "Generic SQL injection
protection"] [severity "CRITICAL"]
229
subject=&postimageselect=NONE&addbbcode18=%23444444&addbbcode20=12&helpbox=Tip%3A+Styles+can+be+applied+quickly+to+selected+text.&message=the+word+from+working+in+quick+reply+does+it+work+here+too%3F&mode=reply&t=5813&post=Submit
HTTP/1.1 406 Not Acceptable
Content-Length: 399
Connection: close
Content-Type: text/html; charset=iso-8859-1
--9f49fb77--
The rule(s) that hit are:
#Generic SQL sigs
SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or
1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection
protection'"
SecFilterSelective ARGS
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"
"id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilterSelective REQUEST_URI "!(/forum/posting\.php)"
"chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilterSelective ARGS
"(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)"
More information about the Modsecurity
mailing list