[Modsecurity] false positive for phpwebsite

Michael Shinn mike at gotroot.com
Fri Nov 3 11:50:04 EST 2006 

Thank you for the report.  Can you tell me which version of the rules
you are running and which rules?  Also, are you running any other rules
not from gotroot?  

On Thu, 2006-11-02 at 22:03 +0100, Lezgin Bakircioglu wrote:
> PHPWEBSITE 0.10.2
> http://phpwebsite.appstate.edu/
> 
> The sec one only occurs when "translating" is done, phpwebsite is an cms
> and have the easy feature to easy translate it to several languages.
> 
> ========================================
> Request: 80.217.xx.xx - - [02/Nov/2006:20:31:27 +0100] "POST /index.php
> HTTP/1.1" 500 1215
> Handler: (null)
> ----------------------------------------
> POST /index.php HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/x-shockwave-flash, application/vnd.ms-excel, applica$
> Referer: http://www.notGiven.com/index.php
> Accept-Language: en-us
> Content-Type: application/x-www-form-urlencoded
> XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
> CLR 1.1.4322)
> Host: www.notGiven.com
> Content-Length: 3081
> Connection: Keep-Alive
> Cache-Control: no-cache
> Cookie:
> c2015d495dce986de881d2c6cbab16a0=047db13d17f3367e433c5609a38e80ce;
> 015b063e12bd831a46d0759581b01f93[users][js_on]=1
> mod_security-message: Access denied with code 500. Pattern match
> "select.+from" at POST_PAYLOAD
> mod_security-action: 500
> 
> 3081
> module=language&lng_adm_op=edit_phrase_action&language=tr&mode=missing&lng_edit_module%5B1055%5D=layout&lng_edit_phrase%5B1055%5D=User+option+updated&lng_edit_translation%5B1055%5D=User+option+updated&lng_edit_id%5B1080%5D=1&lng_edit_module%5B1080%5D=menuman&lng_edit_phrase%5B1080%5D=0&lng_edit_translation%5B1080%5D=0&lng_edit_module%5B1066%5D=menuman&lng_edit_phrase%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_translation%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_module%5B1059%5D=menuman&lng_edit_phrase%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_translation%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_module%5B1065%5D=menuman&lng_edit_phrase%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+and+their+sub-items%3F&lng_edit_translation%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+and
> +their+sub-items%3F&lng_edit_modullng_edit_phrase%5B1057%5D=Delete+an+image&lng_edit_translation%5B1057%5D=Delete+an+image&lng_edit_module%5B1058%5D=menuman&lng_edit_phrase%5B1058%5D=Delete+Image+Confirmation&lng_edit_translation%5B1058%5D=Delete+Image+Confirmation&lng_edit_module%5B1064%5D=menuman&lng_edit_phrase%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_translation%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_module%5B1062%5D=menuman&lng_edit_phrase%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_translation%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_module%5B1060%5D=menuman&lng_edit_phrase%5B1060%5D=Image+Deleted&lng_edit_translation%5B1060%5D=Image+Deleted&lng_edit_module%5B1078%5D=menuman&lng_edit_phrase%5B1078%5D=no+guest&lng_edit_translation%5B1078%5D=no+guest&lng_edit_module%5B1061%5D=menuman&lng_edit_phrase%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&lng_edit_tran
> slation%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&ln_edit_module%5B1082%5D=menuman&lng_edit_phrase%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_translation%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_module%5B1083%5D=menuman&lng_edit_phrase%5B1083%5D=Visitors&lng_edit_translation%5B1083%5D=Visitors&lng_edit_module%5B1081%5D=menuman&lng_edit_phrase%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_translation%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_module%5B1079%5D=menuman&lng_edit_phrase%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_translation%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_module%5B1073%5D=pagemaster&lng_edit_phrase%5B1073%5D=ATTENTION%21&lng_edit_translation%5B1073%5D=ATTENTION%21&lng_edit_module%5B1074%5D=pagemaster&lng_edit_phrase%5B1074%5D=Edit+Section&lng_edit_translation%5B1074%5D=Edit+Section&lng_edit_module%5B1068%5D=pagemaster&lng_edit_phrase%5B1068%5D=New+Section&lng_edit_translation%5B1068%5D=New+Section&lng_edit_module%
> 5B1067%5D=pagemaster&lng_edit_phrase%5B1067%5D=Remove&lng_edit_translation%5B1067%5D=Remove
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

More information about the Modsecurity mailing list