[Modsecurity] False positives
Havard Hebnes
centos at kral.no
Sat Nov 4 20:33:52 EST 2006
Hi.
How can I exclude these two:
==8862686b==============================
Request: www.domain.com ip.ip.ip.ip - - [05/Nov/2006:02:29:01 +0100] "POST /domain/index.php?option=com_pressen&task=ny&get=get
HTTP/1.1" 500 1260 "http://www.domain.com/domain/index.php?option=com_pressen&task=ny" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7" - "-"
----------------------------------------
POST /domain/index.php?option=com_pressen&task=ny&get=get HTTP/1.1
Host: www.domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: no,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.domain.com/domain/index.php?option=com_pressen&task=ny
Cookie: mosvisitor=1; 92cda322cee216f2d501218c9e526ca3=-
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match "(ht|f)tps?:/" at POST_PAYLOAD [id "300018"] [rev "3"] [msg
"Generic PHP code injection protection via ARGS"] [severity "CRITICAL"]
71
navn=test&url=http%3A%2F%2Ftest&p_email=&p_navn=test&submit=Send+inn%21
HTTP/1.1 500 Internal Server Error
Last-Modified: Tue, 17 Oct 2006 21:02:57 GMT
ETag: "a6c067-4ec-142a8240"
Accept-Ranges: bytes
Content-Length: 1260
Connection: close
Content-Type: text/html
--8862686b--
==2c5f0449==============================
Request: webmail.domain.com ip.ip.ip.ip - - [05/Nov/2006:02:17:10 +0100] "GET
/index.php?url=http%3A%2F%2Fwebmail.domain.com%2Fimp%2Flogin.php%3Fimapuser%3Dsdfsdf%26logout_reason%3Dfailed HTTP/1.1" 500 534
"http://webmail.domain.com/imp/login.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909
Firefox/1.5.0.7" - "-"
----------------------------------------
GET /index.php?url=http%3A%2F%2Fwebmail.domain.com%2Fimp%2Flogin.php%3Fimapuser%3Dsdfsdf%26logout_reason%3Dfailed HTTP/1.1
Host: webmail.domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: no,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://webmail.domain.com/imp/login.php
Cookie: Horde3=eadbb815331898acb4521311a77f98d2; auth_key=394bcf708a0b9488f90d83980d248cd9; imp_key=428be839678ed748a6677bc38899ab00
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match "\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI [id
"300018"] [rev "1"] [msg "Generic PHP code injection protection"] [severity "CRITICAL"]
HTTP/1.1 500 Internal Server Error
Content-Length: 534
Connection: close
Content-Type: text/html; charset=iso-8859-1
--2c5f0449--
More information about the Modsecurity
mailing list