[Modsecurity] false positive for phpwebsite

Michael Shinn mike at gotroot.com
Fri Nov 3 17:20:18 EST 2006 

Thank you for the follow up.  What happens if you run the latest version
of the rules?  They should not have this problem, but it possible I may
have missed something.  Please let me know how they worked for you.

On Fri, 2006-11-03 at 19:00 +0100, Lezgin Bakircioglu wrote:
> Sorry, remember now that u sent out a mail about report should include that.
> I run the debian package of mod security.
> and rule-Version: N-20060205-01
> I am running almost all rules becide a couple (like one that denys
> google bot etc) and no other rules becide gotroot.
> 
> Michael Shinn skrev:
> > Thank you for the report.  Can you tell me which version of the rules
> > you are running and which rules?  Also, are you running any other rules
> > not from gotroot?  
> > 
> > On Thu, 2006-11-02 at 22:03 +0100, Lezgin Bakircioglu wrote:
> >> PHPWEBSITE 0.10.2
> >> http://phpwebsite.appstate.edu/
> >>
> >> The sec one only occurs when "translating" is done, phpwebsite is an cms
> >> and have the easy feature to easy translate it to several languages.
> >>
> >> ========================================
> >> Request: 80.217.xx.xx - - [02/Nov/2006:20:31:27 +0100] "POST /index.php
> >> HTTP/1.1" 500 1215
> >> Handler: (null)
> >> ----------------------------------------
> >> POST /index.php HTTP/1.1
> >> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> >> application/x-shockwave-flash, application/vnd.ms-excel, applica$
> >> Referer: http://www.notGiven.com/index.php
> >> Accept-Language: en-us
> >> Content-Type: application/x-www-form-urlencoded
> >> XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
> >> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
> >> CLR 1.1.4322)
> >> Host: www.notGiven.com
> >> Content-Length: 3081
> >> Connection: Keep-Alive
> >> Cache-Control: no-cache
> >> Cookie:
> >> c2015d495dce986de881d2c6cbab16a0=047db13d17f3367e433c5609a38e80ce;
> >> 015b063e12bd831a46d0759581b01f93[users][js_on]=1
> >> mod_security-message: Access denied with code 500. Pattern match
> >> "select.+from" at POST_PAYLOAD
> >> mod_security-action: 500
> >>
> >> 3081
> >> module=language&lng_adm_op=edit_phrase_action&language=tr&mode=missing&lng_edit_module%5B1055%5D=layout&lng_edit_phrase%5B1055%5D=User+option+updated&lng_edit_translation%5B1055%5D=User+option+updated&lng_edit_id%5B1080%5D=1&lng_edit_module%5B1080%5D=menuman&lng_edit_phrase%5B1080%5D=0&lng_edit_translation%5B1080%5D=0&lng_edit_module%5B1066%5D=menuman&lng_edit_phrase%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_translation%5B1066%5D=All+selected+menu+items+and+sub-items+were+successfully+deleted+from+the+database.&lng_edit_module%5B1059%5D=menuman&lng_edit_phrase%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_translation%5B1059%5D=Are+you+sure+you+want+delete+the+image+%5Bvar1%5D%3F&lng_edit_module%5B1065%5D=menuman&lng_edit_phrase%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+and+their+sub-items%3F&lng_edit_translation%5B1065%5D=Are+you+sure+you+want+to+delete+these+menu+items+
> and
> >> +their+sub-items%3F&lng_edit_modullng_edit_phrase%5B1057%5D=Delete+an+image&lng_edit_translation%5B1057%5D=Delete+an+image&lng_edit_module%5B1058%5D=menuman&lng_edit_phrase%5B1058%5D=Delete+Image+Confirmation&lng_edit_translation%5B1058%5D=Delete+Image+Confirmation&lng_edit_module%5B1064%5D=menuman&lng_edit_phrase%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_translation%5B1064%5D=Delete+Menu+Items+Confirmation&lng_edit_module%5B1062%5D=menuman&lng_edit_phrase%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_translation%5B1062%5D=File+%5Bvar1%5D+upload+failed.+Contact+your+system+administrator.&lng_edit_module%5B1060%5D=menuman&lng_edit_phrase%5B1060%5D=Image+Deleted&lng_edit_translation%5B1060%5D=Image+Deleted&lng_edit_module%5B1078%5D=menuman&lng_edit_phrase%5B1078%5D=no+guest&lng_edit_translation%5B1078%5D=no+guest&lng_edit_module%5B1061%5D=menuman&lng_edit_phrase%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&lng_edit_
> tran
> >> slation%5B1061%5D=The+image+%5Bvar1%5D+was+successfully+deleted.&ln_edit_module%5B1082%5D=menuman&lng_edit_phrase%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_translation%5B1082%5D=using+%5Bvar1%5D+%28%5Bvar2%5D%29&lng_edit_module%5B1083%5D=menuman&lng_edit_phrase%5B1083%5D=Visitors&lng_edit_translation%5B1083%5D=Visitors&lng_edit_module%5B1081%5D=menuman&lng_edit_phrase%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_translation%5B1081%5D=%5Bvar1%5D+and+%5Bvar2%5D&lng_edit_module%5B1079%5D=menuman&lng_edit_phrase%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_translation%5B1079%5D=%5Bvar1%5D%2C+all+alone.&lng_edit_module%5B1073%5D=pagemaster&lng_edit_phrase%5B1073%5D=ATTENTION%21&lng_edit_translation%5B1073%5D=ATTENTION%21&lng_edit_module%5B1074%5D=pagemaster&lng_edit_phrase%5B1074%5D=Edit+Section&lng_edit_translation%5B1074%5D=Edit+Section&lng_edit_module%5B1068%5D=pagemaster&lng_edit_phrase%5B1068%5D=New+Section&lng_edit_translation%5B1068%5D=New+Section&lng_edit_mod
> ule%
> >> 5B1067%5D=pagemaster&lng_edit_phrase%5B1067%5D=Remove&lng_edit_translation%5B1067%5D=Remove
> >> _______________________________________________
> >> Modsecurity mailing list
> >> Modsecurity at gotroot.com
> >> http://lists.gotroot.com/mailman/listinfo/modsecurity
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

More information about the Modsecurity mailing list