From c.manfredini at gmail.com  Thu Nov  2 05:39:51 2006
From: c.manfredini at gmail.com (Cristian Manfredini)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] false positive for domino webmail
Message-ID: <7f476adb0611020239tb7acec9vfc9b78142e5e04d1@mail.gmail.com>

This rule is a false positive for domino 6.5 webmail in  N-20060928-01
version of rules.conf

#Generic XSS filter
#please report false positives
SecFilterSelective REQUEST_URI "!/mt\.cgi" chain
SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

Other exclusion rules are:

<LocationMatch "/mail">
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>

-- 
Cristian
_______________
Dott. Cristian Manfredini
Provincia di Reggio Emilia
http://www.cristianmanfredini.it
From mike at gotroot.com  Thu Nov  2 09:05:08 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] false positive for domino webmail
In-Reply-To: <7f476adb0611020239tb7acec9vfc9b78142e5e04d1@mail.gmail.com>
References: <7f476adb0611020239tb7acec9vfc9b78142e5e04d1@mail.gmail.com>
Message-ID: <1162476308.29231.2.camel@localhost.localdomain>

Thank you for the report.  Can you send me your audit_log entries for
this false positive?  I'll work on a better exception for this issue
based on your data.

On Thu, 2006-11-02 at 11:39 +0100, Cristian Manfredini wrote:
> This rule is a false positive for domino 6.5 webmail in  N-20060928-01
> version of rules.conf
> 
> #Generic XSS filter
> #please report false positives
> SecFilterSelective REQUEST_URI "!/mt\.cgi" chain
> SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
> 
> Other exclusion rules are:
> 
> <LocationMatch "/mail">
> SecFilterRemove 300015
> SecFilterRemove 300016
> </LocationMatch>
> 
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

From c.manfredini at gmail.com  Thu Nov  2 09:49:51 2006
From: c.manfredini at gmail.com (Cristian Manfredini)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] false positive for domino webmail
In-Reply-To: <1162476308.29231.2.camel@localhost.localdomain>
References: <7f476adb0611020239tb7acec9vfc9b78142e5e04d1@mail.gmail.com>
	 <1162476308.29231.2.camel@localhost.localdomain>
Message-ID: <7f476adb0611020649t2ec5523eqb5bfa8d3c696f412@mail.gmail.com>

sure, but i need to delete some private data.
I hope my alteration will not create confusion.

This log cause the exclusion of the rule "300015":

[Thu Nov 02 10:55:32 2006] [error] [client xxx.xx.x.50] mod_security:
Access denied with code 403. Pattern match
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"
at POST_PAYLOAD [id "300015"] [rev "1"] [msg "Generic SQL injection
protection"] [severity "2"] [hostname "webmail.italian.domain.it"]
[uri "/mail/pop%5CMyUsername.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields=s_NotesForm;Memo"]


This log cause the exclusion of the rule "300016":

[Thu Nov 02 10:58:51 2006] [error] [client xxx.xx.x.50] mod_security:
Access denied with code 500. Pattern match
"(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\\\\(.*from)"
at POST_PAYLOAD [id "300016"] [rev "2"] [msg "Generic SQL injection
protection"] [severity "2"] [hostname "webmail.italian.domain.it"]
[uri "/mail/pop%5CMyUsername.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields=s_NotesForm;Memo"]


This log cause the suggested rule removal in rules.conf:

[Thu Nov 02 11:15:43 2006] [error] [client xxx.xx.x.50] mod_security:
Access denied with code 500. Pattern match
"<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
at POST_PAYLOAD [hostname "webmail.italian.domain.it"] [uri
"/mail/pop%5CMyUsername.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields=s_NotesForm;Memo"]


2006/11/2, Michael Shinn <mike@gotroot.com>:
> Thank you for the report.  Can you send me your audit_log entries for
> this false positive?  I'll work on a better exception for this issue
> based on your data.
>
> On Thu, 2006-11-02 at 11:39 +0100, Cristian Manfredini wrote:
> > This rule is a false positive for domino 6.5 webmail in  N-20060928-01
> > version of rules.conf
> >
> > #Generic XSS filter
> > #please report false positives
> > SecFilterSelective REQUEST_URI "!/mt\.cgi" chain
> > SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
> >
> > Other exclusion rules are:
> >
> > <LocationMatch "/mail">
> > SecFilterRemove 300015
> > SecFilterRemove 300016
> > </LocationMatch>
> >
> --
> Michael T. Shinn                                    KeyID:0xDAE2EC86
> Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
>
> Got Root?  http://www.gotroot.com
> modsecurity rules: http://www.modsecurityrules.com
> Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
>
>


-- 
Cristian
_______________
Dott. Cristian Manfredini
Provincia di Reggio Emilia
http://www.cristianmanfredini.it
From lerra82 at gmail.com  Thu Nov  2 16:03:23 2006
From: lerra82 at gmail.com (Lezgin Bakircioglu)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] false positive for phpwebsite
Message-ID: <454A5D1B.8090902@gmail.com>

PHPWEBSITE 0.10.2
http://phpwebsite.appstate.edu/

The sec one only occurs when "translating" is done, phpwebsite is an cms
and have the easy feature to easy translate it to several languages.

========================================
Request: 80.217.xx.xx - - [02/Nov/2006:20:31:27 +0100] "POST /index.php
HTTP/1.1" 500 1215
Handler: (null)
----------------------------------------
POST /index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel, applica$
Referer: http://www.notGiven.com/index.php
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322)
Host: www.notGiven.com
Content-Length: 3081
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:
c2015d495dce986de881d2c6cbab16a0=047db13d17f3367e433c5609a38e80ce;
015b063e12bd831a46d0759581b01f93[users][js_on]=1
mod_security-message: Access denied with code 500. Pattern match
"select.+from" at POST_PAYLOAD
mod_security-action: 500

3081
module=language&lng_adm_op=edit_phrase_action&language=tr&mode=missing&lng_edit_module%5B1055%5D=layout&lng_edit_phrase%5B1055%5D=User+option+updated&lng_edit_translation%5B1055%5D=User+option+updated&lng_edit_id%5B1080%5D=1&lng_edit_module%5B1080%5D=menuman&lng_edit_phrase%5B1080%5D=0&lng_edit_translation%5B1080%5D=0&lng_edit_module%5B1066%5D=menuman&lng_edit_phrase%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_translation%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_module%5B1059%5D=menuman&lng_edit_phrase%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_translation%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_module%5B1065%5D=menuman&lng_edit_phrase%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+and+their+sub-items%3F&lng_edit_translation%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+and
+their+sub-items%3F&lng_edit_modullng_edit_phrase%5B1057%5D=Delete+an+image&lng_edit_translation%5B1057%5D=Delete+an+image&lng_edit_module%5B1058%5D=menuman&lng_edit_phrase%5B1058%5D=Delete+Image+Confirmation&lng_edit_translation%5B1058%5D=Delete+Image+Confirmation&lng_edit_module%5B1064%5D=menuman&lng_edit_phrase%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_translation%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_module%5B1062%5D=menuman&lng_edit_phrase%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_translation%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_module%5B1060%5D=menuman&lng_edit_phrase%5B1060%5D=Image+Deleted&lng_edit_translation%5B1060%5D=Image+Deleted&lng_edit_module%5B1078%5D=menuman&lng_edit_phrase%5B1078%5D=no+guest&lng_edit_translation%5B1078%5D=no+guest&lng_edit_module%5B1061%5D=menuman&lng_edit_phrase%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&lng_edit_tran
slation%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&ln_edit_module%5B1082%5D=menuman&lng_edit_phrase%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_translation%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_module%5B1083%5D=menuman&lng_edit_phrase%5B1083%5D=Visitors&lng_edit_translation%5B1083%5D=Visitors&lng_edit_module%5B1081%5D=menuman&lng_edit_phrase%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_translation%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_module%5B1079%5D=menuman&lng_edit_phrase%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_translation%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_module%5B1073%5D=pagemaster&lng_edit_phrase%5B1073%5D=ATTENTION%21&lng_edit_translation%5B1073%5D=ATTENTION%21&lng_edit_module%5B1074%5D=pagemaster&lng_edit_phrase%5B1074%5D=Edit+Section&lng_edit_translation%5B1074%5D=Edit+Section&lng_edit_module%5B1068%5D=pagemaster&lng_edit_phrase%5B1068%5D=New+Section&lng_edit_translation%5B1068%5D=New+Section&lng_edit_module%
5B1067%5D=pagemaster&lng_edit_phrase%5B1067%5D=Remove&lng_edit_translation%5B1067%5D=Remove
From mike at gotroot.com  Fri Nov  3 11:50:04 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] false positive for phpwebsite
In-Reply-To: <454A5D1B.8090902@gmail.com>
References: <454A5D1B.8090902@gmail.com>
Message-ID: <1162572604.5236.38.camel@localhost.localdomain>

Thank you for the report.  Can you tell me which version of the rules
you are running and which rules?  Also, are you running any other rules
not from gotroot?  

On Thu, 2006-11-02 at 22:03 +0100, Lezgin Bakircioglu wrote:
> PHPWEBSITE 0.10.2
> http://phpwebsite.appstate.edu/
> 
> The sec one only occurs when "translating" is done, phpwebsite is an cms
> and have the easy feature to easy translate it to several languages.
> 
> ========================================
> Request: 80.217.xx.xx - - [02/Nov/2006:20:31:27 +0100] "POST /index.php
> HTTP/1.1" 500 1215
> Handler: (null)
> ----------------------------------------
> POST /index.php HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/x-shockwave-flash, application/vnd.ms-excel, applica$
> Referer: http://www.notGiven.com/index.php
> Accept-Language: en-us
> Content-Type: application/x-www-form-urlencoded
> XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
> CLR 1.1.4322)
> Host: www.notGiven.com
> Content-Length: 3081
> Connection: Keep-Alive
> Cache-Control: no-cache
> Cookie:
> c2015d495dce986de881d2c6cbab16a0=047db13d17f3367e433c5609a38e80ce;
> 015b063e12bd831a46d0759581b01f93[users][js_on]=1
> mod_security-message: Access denied with code 500. Pattern match
> "select.+from" at POST_PAYLOAD
> mod_security-action: 500
> 
> 3081
> module=language&lng_adm_op=edit_phrase_action&language=tr&mode=missing&lng_edit_module%5B1055%5D=layout&lng_edit_phrase%5B1055%5D=User+option+updated&lng_edit_translation%5B1055%5D=User+option+updated&lng_edit_id%5B1080%5D=1&lng_edit_module%5B1080%5D=menuman&lng_edit_phrase%5B1080%5D=0&lng_edit_translation%5B1080%5D=0&lng_edit_module%5B1066%5D=menuman&lng_edit_phrase%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_translation%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_module%5B1059%5D=menuman&lng_edit_phrase%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_translation%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_module%5B1065%5D=menuman&lng_edit_phrase%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+and+their+sub-items%3F&lng_edit_translation%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+and
> +their+sub-items%3F&lng_edit_modullng_edit_phrase%5B1057%5D=Delete+an+image&lng_edit_translation%5B1057%5D=Delete+an+image&lng_edit_module%5B1058%5D=menuman&lng_edit_phrase%5B1058%5D=Delete+Image+Confirmation&lng_edit_translation%5B1058%5D=Delete+Image+Confirmation&lng_edit_module%5B1064%5D=menuman&lng_edit_phrase%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_translation%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_module%5B1062%5D=menuman&lng_edit_phrase%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_translation%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_module%5B1060%5D=menuman&lng_edit_phrase%5B1060%5D=Image+Deleted&lng_edit_translation%5B1060%5D=Image+Deleted&lng_edit_module%5B1078%5D=menuman&lng_edit_phrase%5B1078%5D=no+guest&lng_edit_translation%5B1078%5D=no+guest&lng_edit_module%5B1061%5D=menuman&lng_edit_phrase%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&lng_edit_tran
> slation%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&ln_edit_module%5B1082%5D=menuman&lng_edit_phrase%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_translation%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_module%5B1083%5D=menuman&lng_edit_phrase%5B1083%5D=Visitors&lng_edit_translation%5B1083%5D=Visitors&lng_edit_module%5B1081%5D=menuman&lng_edit_phrase%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_translation%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_module%5B1079%5D=menuman&lng_edit_phrase%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_translation%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_module%5B1073%5D=pagemaster&lng_edit_phrase%5B1073%5D=ATTENTION%21&lng_edit_translation%5B1073%5D=ATTENTION%21&lng_edit_module%5B1074%5D=pagemaster&lng_edit_phrase%5B1074%5D=Edit+Section&lng_edit_translation%5B1074%5D=Edit+Section&lng_edit_module%5B1068%5D=pagemaster&lng_edit_phrase%5B1068%5D=New+Section&lng_edit_translation%5B1068%5D=New+Section&lng_edit_module%
> 5B1067%5D=pagemaster&lng_edit_phrase%5B1067%5D=Remove&lng_edit_translation%5B1067%5D=Remove
> _______________________________________________
> Modsecurity mailing list
> Modsecurity@gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

From lerra82 at gmail.com  Fri Nov  3 13:00:35 2006
From: lerra82 at gmail.com (Lezgin Bakircioglu)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] false positive for phpwebsite
In-Reply-To: <1162572604.5236.38.camel@localhost.localdomain>
References: <454A5D1B.8090902@gmail.com>
	<1162572604.5236.38.camel@localhost.localdomain>
Message-ID: <454B83C3.8080404@gmail.com>

Sorry, remember now that u sent out a mail about report should include that.
I run the debian package of mod security.
and rule-Version: N-20060205-01
I am running almost all rules becide a couple (like one that denys
google bot etc) and no other rules becide gotroot.

Michael Shinn skrev:
> Thank you for the report.  Can you tell me which version of the rules
> you are running and which rules?  Also, are you running any other rules
> not from gotroot?  
> 
> On Thu, 2006-11-02 at 22:03 +0100, Lezgin Bakircioglu wrote:
>> PHPWEBSITE 0.10.2
>> http://phpwebsite.appstate.edu/
>>
>> The sec one only occurs when "translating" is done, phpwebsite is an cms
>> and have the easy feature to easy translate it to several languages.
>>
>> ========================================
>> Request: 80.217.xx.xx - - [02/Nov/2006:20:31:27 +0100] "POST /index.php
>> HTTP/1.1" 500 1215
>> Handler: (null)
>> ----------------------------------------
>> POST /index.php HTTP/1.1
>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
>> application/x-shockwave-flash, application/vnd.ms-excel, applica$
>> Referer: http://www.notGiven.com/index.php
>> Accept-Language: en-us
>> Content-Type: application/x-www-form-urlencoded
>> XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
>> CLR 1.1.4322)
>> Host: www.notGiven.com
>> Content-Length: 3081
>> Connection: Keep-Alive
>> Cache-Control: no-cache
>> Cookie:
>> c2015d495dce986de881d2c6cbab16a0=047db13d17f3367e433c5609a38e80ce;
>> 015b063e12bd831a46d0759581b01f93[users][js_on]=1
>> mod_security-message: Access denied with code 500. Pattern match
>> "select.+from" at POST_PAYLOAD
>> mod_security-action: 500
>>
>> 3081
>> module=language&lng_adm_op=edit_phrase_action&language=tr&mode=missing&lng_edit_module%5B1055%5D=layout&lng_edit_phrase%5B1055%5D=User+option+updated&lng_edit_translation%5B1055%5D=User+option+updated&lng_edit_id%5B1080%5D=1&lng_edit_module%5B1080%5D=menuman&lng_edit_phrase%5B1080%5D=0&lng_edit_translation%5B1080%5D=0&lng_edit_module%5B1066%5D=menuman&lng_edit_phrase%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_translation%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_module%5B1059%5D=menuman&lng_edit_phrase%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_translation%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_module%5B1065%5D=menuman&lng_edit_phrase%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+and+their+sub-items%3F&lng_edit_translation%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+
and
>> +their+sub-items%3F&lng_edit_modullng_edit_phrase%5B1057%5D=Delete+an+image&lng_edit_translation%5B1057%5D=Delete+an+image&lng_edit_module%5B1058%5D=menuman&lng_edit_phrase%5B1058%5D=Delete+Image+Confirmation&lng_edit_translation%5B1058%5D=Delete+Image+Confirmation&lng_edit_module%5B1064%5D=menuman&lng_edit_phrase%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_translation%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_module%5B1062%5D=menuman&lng_edit_phrase%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_translation%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_module%5B1060%5D=menuman&lng_edit_phrase%5B1060%5D=Image+Deleted&lng_edit_translation%5B1060%5D=Image+Deleted&lng_edit_module%5B1078%5D=menuman&lng_edit_phrase%5B1078%5D=no+guest&lng_edit_translation%5B1078%5D=no+guest&lng_edit_module%5B1061%5D=menuman&lng_edit_phrase%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&lng_edit_
tran
>> slation%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&ln_edit_module%5B1082%5D=menuman&lng_edit_phrase%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_translation%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_module%5B1083%5D=menuman&lng_edit_phrase%5B1083%5D=Visitors&lng_edit_translation%5B1083%5D=Visitors&lng_edit_module%5B1081%5D=menuman&lng_edit_phrase%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_translation%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_module%5B1079%5D=menuman&lng_edit_phrase%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_translation%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_module%5B1073%5D=pagemaster&lng_edit_phrase%5B1073%5D=ATTENTION%21&lng_edit_translation%5B1073%5D=ATTENTION%21&lng_edit_module%5B1074%5D=pagemaster&lng_edit_phrase%5B1074%5D=Edit+Section&lng_edit_translation%5B1074%5D=Edit+Section&lng_edit_module%5B1068%5D=pagemaster&lng_edit_phrase%5B1068%5D=New+Section&lng_edit_translation%5B1068%5D=New+Section&lng_edit_mod
ule%
>> 5B1067%5D=pagemaster&lng_edit_phrase%5B1067%5D=Remove&lng_edit_translation%5B1067%5D=Remove
>> _______________________________________________
>> Modsecurity mailing list
>> Modsecurity@gotroot.com
>> http://lists.gotroot.com/mailman/listinfo/modsecurity
From mike at gotroot.com  Fri Nov  3 17:20:18 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] false positive for phpwebsite
In-Reply-To: <454B83C3.8080404@gmail.com>
References: <454A5D1B.8090902@gmail.com>
	 <1162572604.5236.38.camel@localhost.localdomain>
	 <454B83C3.8080404@gmail.com>
Message-ID: <1162592418.5236.73.camel@localhost.localdomain>

Thank you for the follow up.  What happens if you run the latest version
of the rules?  They should not have this problem, but it possible I may
have missed something.  Please let me know how they worked for you.

On Fri, 2006-11-03 at 19:00 +0100, Lezgin Bakircioglu wrote:
> Sorry, remember now that u sent out a mail about report should include that.
> I run the debian package of mod security.
> and rule-Version: N-20060205-01
> I am running almost all rules becide a couple (like one that denys
> google bot etc) and no other rules becide gotroot.
> 
> Michael Shinn skrev:
> > Thank you for the report.  Can you tell me which version of the rules
> > you are running and which rules?  Also, are you running any other rules
> > not from gotroot?  
> > 
> > On Thu, 2006-11-02 at 22:03 +0100, Lezgin Bakircioglu wrote:
> >> PHPWEBSITE 0.10.2
> >> http://phpwebsite.appstate.edu/
> >>
> >> The sec one only occurs when "translating" is done, phpwebsite is an cms
> >> and have the easy feature to easy translate it to several languages.
> >>
> >> ========================================
> >> Request: 80.217.xx.xx - - [02/Nov/2006:20:31:27 +0100] "POST /index.php
> >> HTTP/1.1" 500 1215
> >> Handler: (null)
> >> ----------------------------------------
> >> POST /index.php HTTP/1.1
> >> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> >> application/x-shockwave-flash, application/vnd.ms-excel, applica$
> >> Referer: http://www.notGiven.com/index.php
> >> Accept-Language: en-us
> >> Content-Type: application/x-www-form-urlencoded
> >> XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
> >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
> >> CLR 1.1.4322)
> >> Host: www.notGiven.com
> >> Content-Length: 3081
> >> Connection: Keep-Alive
> >> Cache-Control: no-cache
> >> Cookie:
> >> c2015d495dce986de881d2c6cbab16a0=047db13d17f3367e433c5609a38e80ce;
> >> 015b063e12bd831a46d0759581b01f93[users][js_on]=1
> >> mod_security-message: Access denied with code 500. Pattern match
> >> "select.+from" at POST_PAYLOAD
> >> mod_security-action: 500
> >>
> >> 3081
> >> module=language&lng_adm_op=edit_phrase_action&language=tr&mode=missing&lng_edit_module%5B1055%5D=layout&lng_edit_phrase%5B1055%5D=User+option+updated&lng_edit_translation%5B1055%5D=User+option+updated&lng_edit_id%5B1080%5D=1&lng_edit_module%5B1080%5D=menuman&lng_edit_phrase%5B1080%5D=0&lng_edit_translation%5B1080%5D=0&lng_edit_module%5B1066%5D=menuman&lng_edit_phrase%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_translation%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_module%5B1059%5D=menuman&lng_edit_phrase%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_translation%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_module%5B1065%5D=menuman&lng_edit_phrase%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+and+their+sub-items%3F&lng_edit_translation%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+
> and
> >> +their+sub-items%3F&lng_edit_modullng_edit_phrase%5B1057%5D=Delete+an+image&lng_edit_translation%5B1057%5D=Delete+an+image&lng_edit_module%5B1058%5D=menuman&lng_edit_phrase%5B1058%5D=Delete+Image+Confirmation&lng_edit_translation%5B1058%5D=Delete+Image+Confirmation&lng_edit_module%5B1064%5D=menuman&lng_edit_phrase%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_translation%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_module%5B1062%5D=menuman&lng_edit_phrase%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_translation%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_module%5B1060%5D=menuman&lng_edit_phrase%5B1060%5D=Image+Deleted&lng_edit_translation%5B1060%5D=Image+Deleted&lng_edit_module%5B1078%5D=menuman&lng_edit_phrase%5B1078%5D=no+guest&lng_edit_translation%5B1078%5D=no+guest&lng_edit_module%5B1061%5D=menuman&lng_edit_phrase%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&lng_edit_
> tran
> >> slation%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&ln_edit_module%5B1082%5D=menuman&lng_edit_phrase%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_translation%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_module%5B1083%5D=menuman&lng_edit_phrase%5B1083%5D=Visitors&lng_edit_translation%5B1083%5D=Visitors&lng_edit_module%5B1081%5D=menuman&lng_edit_phrase%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_translation%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_module%5B1079%5D=menuman&lng_edit_phrase%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_translation%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_module%5B1073%5D=pagemaster&lng_edit_phrase%5B1073%5D=ATTENTION%21&lng_edit_translation%5B1073%5D=ATTENTION%21&lng_edit_module%5B1074%5D=pagemaster&lng_edit_phrase%5B1074%5D=Edit+Section&lng_edit_translation%5B1074%5D=Edit+Section&lng_edit_module%5B1068%5D=pagemaster&lng_edit_phrase%5B1068%5D=New+Section&lng_edit_translation%5B1068%5D=New+Section&lng_edit_mod
> ule%
> >> 5B1067%5D=pagemaster&lng_edit_phrase%5B1067%5D=Remove&lng_edit_translation%5B1067%5D=Remove
> >> _______________________________________________
> >> Modsecurity mailing list
> >> Modsecurity@gotroot.com
> >> http://lists.gotroot.com/mailman/listinfo/modsecurity
> _______________________________________________
> Modsecurity mailing list
> Modsecurity@gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

From centos at kral.no  Sat Nov  4 20:33:52 2006
From: centos at kral.no (=?us-ascii?Q?Havard_Hebnes?=)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] False positives
Message-ID: <001501c7007a$73e0a220$800101df@haavard>

Hi.

How can I exclude these two:

==8862686b==============================
Request: www.domain.com ip.ip.ip.ip - - [05/Nov/2006:02:29:01 +0100] "POST /domain/index.php?option=com_pressen&task=ny&get=get
HTTP/1.1" 500 1260 "http://www.domain.com/domain/index.php?option=com_pressen&task=ny" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7" - "-"
----------------------------------------
POST /domain/index.php?option=com_pressen&task=ny&get=get HTTP/1.1
Host: www.domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: no,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.domain.com/domain/index.php?option=com_pressen&task=ny
Cookie: mosvisitor=1; 92cda322cee216f2d501218c9e526ca3=-
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match "(ht|f)tps?:/" at POST_PAYLOAD [id "300018"] [rev "3"] [msg
"Generic PHP code injection protection via ARGS"] [severity "CRITICAL"]

71
navn=test&url=http%3A%2F%2Ftest&p_email=&p_navn=test&submit=Send+inn%21

HTTP/1.1 500 Internal Server Error
Last-Modified: Tue, 17 Oct 2006 21:02:57 GMT
ETag: "a6c067-4ec-142a8240"
Accept-Ranges: bytes
Content-Length: 1260
Connection: close
Content-Type: text/html
--8862686b--





==2c5f0449==============================
Request: webmail.domain.com ip.ip.ip.ip - - [05/Nov/2006:02:17:10 +0100] "GET
/index.php?url=http%3A%2F%2Fwebmail.domain.com%2Fimp%2Flogin.php%3Fimapuser%3Dsdfsdf%26logout_reason%3Dfailed HTTP/1.1" 500 534
"http://webmail.domain.com/imp/login.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909
Firefox/1.5.0.7" - "-"
----------------------------------------
GET /index.php?url=http%3A%2F%2Fwebmail.domain.com%2Fimp%2Flogin.php%3Fimapuser%3Dsdfsdf%26logout_reason%3Dfailed HTTP/1.1
Host: webmail.domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: no,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://webmail.domain.com/imp/login.php
Cookie: Horde3=eadbb815331898acb4521311a77f98d2; auth_key=394bcf708a0b9488f90d83980d248cd9; imp_key=428be839678ed748a6677bc38899ab00
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match "\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI [id
"300018"] [rev "1"] [msg "Generic PHP code injection protection"] [severity "CRITICAL"]

HTTP/1.1 500 Internal Server Error
Content-Length: 534
Connection: close
Content-Type: text/html; charset=iso-8859-1
--2c5f0449--

From faris at cymru1.net  Mon Nov  6 12:48:53 2006
From: faris at cymru1.net (Faris Raouf)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Horde login issue
In-Reply-To: <1162572604.5236.38.camel@localhost.localdomain>
Message-ID: <000601c701cb$d34dd230$0b00a8c0@atlantis>

I'm having a very strange issue at the moment.

Basically logging in under Horde/imp (plesk 7.5.4, Redhat 9) was fine until
I updated my rules to the 20061310 set.

After that, rule 300018 triggers on logging in (and if I remove that rule
from the rules file others trigger. Basically 300013/15/16.

Adding this sort of thing (with variations of the location) to the exclude
file does not help (yes, I am restarting the httpd process)

<LocationMatch "/horde/imp/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
SecFilterRemove 300016
</LocationMatch>


Using SecFilterEngine Off and SecFilterScanPOST Off in the above does not
help.

I've also tried creating an .htaccess file in /usr/share/psa-horde/imp with
the following (or the secfilterremove rules) in. It doesn't help.

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>


A typical audit log entry is as follows:

==9a51b60b==============================
Request: webmail.domain.com xx.xx.xx.xx - - [04/Nov/2006:07:34:51 +0000]
"GET /index.php?url=http%3A%2F%2Fwebmail.domain.com%2F HTTP/1.1" 500 1083
"http://webmail.domain.com/imp/login.php" "Mozilla/5.0 (Macintosh; U; Intel
Mac OS X; en) AppleWebKit/418 (KHTML, like Gecko) Safari/417.9.2"
41Uitz5FPeMAAF@WTSoAAAAM "-"
Handler: type-map
----------------------------------------
GET /index.php?url=http%3A%2F%2Fwebmail.domain.com%2F HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: Horde3=xxxxxxxxxxxxxxxxxxxxxxxxxx; auth_key=xxxxxxxxxxxxxxxxxxxxxx;
imp_key=xxxxxxxxxxxxxxxxxxxxxxx
Referer: http://webmail.domain.com/imp/login.php
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/418
(KHTML, like Gecko) Safari/417.9.2
Connection: keep-alive
Host: webmail.domain.com
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match
"(ht|f)tps?:/" at QUERY_STRING [id "300018"] [rev "3"] [msg "Generic PHP
code injection protection via ARGS"] [severity "CRITICAL"]

HTTP/1.1 500 Internal Server Error
Vary: accept-language
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
--9a51b60b--

What I don't understand is why I'm unable to turn mod_sec off or limit the
rules for this. It is driving me nuts. What am I doing wrong? I must be
doing something really daft.

Thanks,

Faris.


From richard at golivehost.com  Wed Nov  8 13:30:10 2006
From: richard at golivehost.com (Richard McLean)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] New RBL feature in mod_security 2.0
Message-ID: <p06230917c177ced250b0@[192.168.0.2]>

Hi all,


I'd like to start using the RBL features in mod_security 2.0, but I can't
really find much documentation on it. What I'd like to do is check all
POST requests through the xbl.spamhaus.org RBL. Would the
following rule do that?

SecRule REQUEST_METHOD "^POST$" chain
SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org" log,deny

Or is it more complicated than that? Thanks!


cheers,
Richard
From info at 2xs.de  Wed Nov  8 14:08:34 2006
From: info at 2xs.de (2XS - Net Connections)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Posting of links
In-Reply-To: <20061103222031.389B99DE@delta.2xs.de>
References: <20061103222031.389B99DE@delta.2xs.de>
Message-ID: <45522B32.70200@2xs.de>

Hi,

I always get an ID 300018 false positiv, when I post a link. For example
in mediawiki, serendipity comments, ...

Of course "Pattern match "(ht|f)tps?:/" at QUERY_STRING" matches,
because there is an http:// in the post, but does this mean, that it is
impossible to post any links with this rule enabled, or is there a
workaround?

Cheers
Mario

From richard at golivehost.com  Wed Nov  8 15:24:25 2006
From: richard at golivehost.com (Richard McLean)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] New RBL feature in mod_security 2.0
In-Reply-To: <p06230917c177ced250b0@[192.168.0.2]>
References: <p06230917c177ced250b0@[192.168.0.2]>
Message-ID: <p06230919c177d7eb728a@[192.168.0.2]>

At 5:30 AM +1100 9/11/06, Richard McLean wrote:

>SecRule REQUEST_METHOD "^POST$" chain
>SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org" log,deny
>
>Or is it more complicated than that? Thanks!


Looking further, seems the actions need to be in the first rule, so
I guess that becomes:

SecRule REQUEST_METHOD "^POST$" log,deny chain
SecRule REMOTE_ADDR "@rbl xbl.spamhaus.org"

Any thoughts or corrections to that would be greatly appreciated.


cheers,
Richard
From mirror at prometheus-group.com  Sat Nov 11 11:17:23 2006
From: mirror at prometheus-group.com (mirror@prometheus-group.com)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Modsecurity rules update for 20061111
Message-ID: <20061111161723.24178.qmail@plesk.shinn.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New Release of GotRoot Web Signatures 

Diff of /etc/modsecurity/apache2-rules.conf


Diff of /etc/modsecurity/blacklist.conf
531c531
< #SecFilterSelective HTTP_Referer|ARGS "\bby\.ru"
- ---
> SecFilterSelective HTTP_Referer|ARGS "\bby\.ru\b"
7606d7605
< SecFilterSelective HTTP_Referer|ARGS BoiseComputerService\.com


Diff of /etc/modsecurity/proxy.conf


Diff of /etc/modsecurity/rules.conf
38a39,40
> # we exclude GET requests from this because some (automated)
> # clients supply "text/html" as Content-Type
42,47c44,46
< #Block WebDav PUTS
< #Comment this rule out if you need WebDAV
< SecFilterSelective REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:2,msg:'Restricted HTTP function'"
< 
< #Generic rule for allowed characters, adjust for your site before activating
< #SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:390002,rev:1,severity:2,msg:'Restricted HTTP character set'"
- ---
> #Generic rule for allowed characters, very broken at the moment, dont use it unless you can fix it
> #Then post your fix eh!
> #SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'"
184,185c183
< SecFilterSelective ARGS "(ht|f)tps?:/"  chain
< SecFilterSelective HTTP_Referer "!/imp/login\.php"
- ---
> SecFilterSelective ARGS "(ht|f)tps?:/" 
187,188c185
< SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"  chain
< SecFilterSelective HTTP_Referer "!/imp/login\.php"
- ---
> SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" 


Diff of /etc/modsecurity/blacklist2.conf
31d30
< SecFilterSelective THE_REQUEST "(/|\.)molganinovo\.ru/"


Diff of /etc/modsecurity/exclude.conf
10a11,12
> # modsecurity is a trademark of Thinking Stone, Ltd.
> #
46,49d47
< <LocationMatch "/admin/main.php">
< 	SecFilterRemove 300013
< </LocationMatch>
< 
85c83
< <LocationMatch "/imp/compose.php">
- ---
> <LocationMatch "/horde/imp/compose.php">


Diff of /etc/modsecurity/rootkits.conf


Diff of /etc/modsecurity/useragents.conf
13c13
< # Version: N-20061014-01
- ---
> # Version: N-20060907-01
232,235d231
< 
< #MS WebDav
< #If you do not allow webdav, this is useful to catch some webdav PUT attacks
< SecFilterSelective HTTP_USER_AGENT "Microsoft Data Access Internet Publishing Provider"


Diff of /etc/modsecurity/exclude.conf


Diff of /etc/modsecurity/badips.conf


Diff of /etc/modsecurity/recons.conf


Diff of /etc/modsecurity/jitp.conf
4453,4455d4452
< 
< #
< SecFilterSelective ARG_doc_directory "(ht|f)tps?:/" 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQIVAwUBRVX3krVvl2Kn6BhaAQI/Bw//QGWQfWXAVJAvh0+fJKv+UEe69nQ5b4mL
VVM2TAhN5SzZXMQ8KhqdM1a4O1JFRy9N87ZGaJF+Ma+boeBDgwecgQK3Bg1b9qSz
rLP0VQVHE/5oVe2ZDh0Xlo15jOqU7oAyF9OszWquTuD4d+LVljbZXxqFg7krlNn2
NWY8UObp1jurwOAnOZU+ObdfJxqjgGKBvBpQ0nxOEMRs3ohEpFln5qaSmGG3ZU7R
uXDWr2X11OEaLWsE2NfZwloAArOPhJ0nEKSCjlFyujNVmXdc4yFK+RHTFKJfd/Ch
Xn8VfjIdgrhLqanNV6fbRbRB08do8C4DLmL9F+BWQeQPtvUTDOcrBBifvwVNyXp6
FcSbChk7/Q/3zaPsWodgN9ONGk1F1Y8A2eAxdnFf7oNm1U75TKZG4tSJ230o6J8u
tvF4DmNv9FVXb1GPxZG/tjTJrtw3NIIkC5krGSCrPaWvb/VKBtbRn/ptGxM4PlfS
PVt/lQMenQzhgeavCjeGwFJnzISYBioXn0bgSWwfMu1HQxGoj1+cVlh2sBfLfGGO
Kcviw0bxefe/sS+GM5OEwFpf/t8e77ncBErAPaJeJpFxC8pXwh0fEyNE+OylfpHs
dVt3OGtEzoIWeiThQ0X3QcK36D3YVUkj82roRFN4XlD0o/VRmQTYI4spShdKFt9v
j1U5vE0aYaY=
=CkUP
-----END PGP SIGNATURE-----
From centos at kral.no  Tue Nov 14 17:52:50 2006
From: centos at kral.no (=?US-ASCII?Q?Havard_Hebnes?=)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] False positive
Message-ID: <00f701c7083f$9d05e6c0$800101df@haavard>

Ideas how I can fix this false positive?:

==d356895a==============================
Request: domain.com 00.00.00.00 - - [14/Nov/2006:23:49:18 +0100] "POST /index.php?side=Linker&action=send_inn HTTP/1.1" 500 1262
"http://domain.com/index.php?side=Linker" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025
Firefox/1.5.0.8" - "-"
----------------------------------------
POST /index.php?side=Linker&action=send_inn HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: no,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://domain.com/index.php?side=Linker
Cookie: kjopsalg_cookie=1163544223; SessKey=dc2d615c9a271e56d26acee898507212; linkscookie=1163544223
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match "!/imp/login\\.php" at HEADER("Referer") [id "300018"] [rev "3"]
[msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"]

71
action=send_inn&url=http%3A%2F%2Fdfdf.com&info=trester&kategori=Diverse

HTTP/1.1 500 Internal Server Error
Last-Modified: Thu, 13 Jul 2006 19:39:03 GMT
ETag: "5c053-4ee-b759c3c0"
Accept-Ranges: bytes
Content-Length: 1262
Connection: close
Content-Type: text/html
--d356895a--


I've tried:
<LocationMatch "/index.php?side=Linker&action=send_inn">
   SecFilterRemove 300018
</LocationMatch>

but... that didn't work. Hopefully someone can see what I'm doing wrong? Thanks.

From mike at gotroot.com  Mon Nov 27 10:33:31 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Site currently getting slashdotted/diggified
Message-ID: <1164641611.8129.3.camel@localhost.localdomain>

If you can't download the rules from gotroot.cvom, I apologize as the
gotroot.com site is currently getting slashdotted.  Seems someone posted
a link to an old article on the site about bittorrent and TOR, and its a
tad popular this morning.  Sorry for the inconvenience, I'll see what I
can do about mirroring.

If you are an ASL customer, this does not effect you.  The ASL download
sites are on their own dedicated hardware and your rule downloads will
not be effected.

-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

From mike at gotroot.com  Mon Nov 27 10:33:31 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Site currently getting slashdotted/diggified
Message-ID: <1164641611.8129.3.camel@localhost.localdomain>

If you can't download the rules from gotroot.cvom, I apologize as the
gotroot.com site is currently getting slashdotted.  Seems someone posted
a link to an old article on the site about bittorrent and TOR, and its a
tad popular this morning.  Sorry for the inconvenience, I'll see what I
can do about mirroring.

If you are an ASL customer, this does not effect you.  The ASL download
sites are on their own dedicated hardware and your rule downloads will
not be effected.

-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

From mike at gotroot.com  Mon Nov 27 11:56:41 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Site currently getting slashdotted/diggified
In-Reply-To: <1164641611.8129.3.camel@localhost.localdomain>
References: <1164641611.8129.3.camel@localhost.localdomain>
Message-ID: <1164646601.9062.6.camel@localhost.localdomain>

Things should be back to normal, or close to it now.  I've redirected
the traffic for this wiki article to a digg mirror.

On Mon, 2006-11-27 at 10:33 -0500, Michael Shinn wrote:
> If you can't download the rules from gotroot.cvom, I apologize as the
> gotroot.com site is currently getting slashdotted.  Seems someone posted
> a link to an old article on the site about bittorrent and TOR, and its a
> tad popular this morning.  Sorry for the inconvenience, I'll see what I
> can do about mirroring.
> 
> If you are an ASL customer, this does not effect you.  The ASL download
> sites are on their own dedicated hardware and your rule downloads will
> not be effected.
> 
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com