[Modsecurity] false positive for domino webmail

Cristian Manfredini c.manfredini at gmail.com
Thu Nov 2 09:49:51 EST 2006 

sure, but i need to delete some private data.
I hope my alteration will not create confusion.

This log cause the exclusion of the rule "300015":

[Thu Nov 02 10:55:32 2006] [error] [client xxx.xx.x.50] mod_security:
Access denied with code 403. Pattern match
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"
at POST_PAYLOAD [id "300015"] [rev "1"] [msg "Generic SQL injection
protection"] [severity "2"] [hostname "webmail.italian.domain.it"]
[uri "/mail/pop%5CMyUsername.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields=s_NotesForm;Memo"]


This log cause the exclusion of the rule "300016":

[Thu Nov 02 10:58:51 2006] [error] [client xxx.xx.x.50] mod_security:
Access denied with code 500. Pattern match
"(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\\\\(.*from)"
at POST_PAYLOAD [id "300016"] [rev "2"] [msg "Generic SQL injection
protection"] [severity "2"] [hostname "webmail.italian.domain.it"]
[uri "/mail/pop%5CMyUsername.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields=s_NotesForm;Memo"]


This log cause the suggested rule removal in rules.conf:

[Thu Nov 02 11:15:43 2006] [error] [client xxx.xx.x.50] mod_security:
Access denied with code 500. Pattern match
"<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
at POST_PAYLOAD [hostname "webmail.italian.domain.it"] [uri
"/mail/pop%5CMyUsername.nsf/($Drafts)/$new/?EditDocument&Form=h_PageUI&PresetFields=s_NotesForm;Memo"]


2006/11/2, Michael Shinn <mike at gotroot.com>:
> Thank you for the report.  Can you send me your audit_log entries for
> this false positive?  I'll work on a better exception for this issue
> based on your data.
>
> On Thu, 2006-11-02 at 11:39 +0100, Cristian Manfredini wrote:
> > This rule is a false positive for domino 6.5 webmail in  N-20060928-01
> > version of rules.conf
> >
> > #Generic XSS filter
> > #please report false positives
> > SecFilterSelective REQUEST_URI "!/mt\.cgi" chain
> > SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
> >
> > Other exclusion rules are:
> >
> > <LocationMatch "/mail">
> > SecFilterRemove 300015
> > SecFilterRemove 300016
> > </LocationMatch>
> >
> --
> Michael T. Shinn                                    KeyID:0xDAE2EC86
> Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
>
> Got Root?  http://www.gotroot.com
> modsecurity rules: http://www.modsecurityrules.com
> Troubleshooting Firewalls:  http://troubleshootingfirewalls.com
>
>


-- 
Cristian
_______________
Dott. Cristian Manfredini
Provincia di Reggio Emilia
http://www.cristianmanfredini.it

More information about the Modsecurity mailing list