[Modsecurity] False positive
Havard Hebnes
centos at kral.no
Tue Nov 14 17:52:50 EST 2006
Ideas how I can fix this false positive?:
==d356895a==============================
Request: domain.com 00.00.00.00 - - [14/Nov/2006:23:49:18 +0100] "POST /index.php?side=Linker&action=send_inn HTTP/1.1" 500 1262
"http://domain.com/index.php?side=Linker" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025
Firefox/1.5.0.8" - "-"
----------------------------------------
POST /index.php?side=Linker&action=send_inn HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: no,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://domain.com/index.php?side=Linker
Cookie: kjopsalg_cookie=1163544223; SessKey=dc2d615c9a271e56d26acee898507212; linkscookie=1163544223
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match "!/imp/login\\.php" at HEADER("Referer") [id "300018"] [rev "3"]
[msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"]
71
action=send_inn&url=http%3A%2F%2Fdfdf.com&info=trester&kategori=Diverse
HTTP/1.1 500 Internal Server Error
Last-Modified: Thu, 13 Jul 2006 19:39:03 GMT
ETag: "5c053-4ee-b759c3c0"
Accept-Ranges: bytes
Content-Length: 1262
Connection: close
Content-Type: text/html
--d356895a--
I've tried:
<LocationMatch "/index.php?side=Linker&action=send_inn">
SecFilterRemove 300018
</LocationMatch>
but... that didn't work. Hopefully someone can see what I'm doing wrong? Thanks.
More information about the Modsecurity
mailing list