[Modsecurity] Exclude a Rule w/ no ID...Any free IDs to Use?
Steve West
stevewest15 at gmail.com
Sat Oct 28 12:55:58 EDT 2006
Hi,
I'm trying to find out how I can assign an id so I can easily exclude
the following rule (by adding the id and /dwmail/compose.php) to the
excludes.conf file:
Here is the Rule:
#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecFilterSelective REQUEST_URI
"!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)"
chain
SecFilter
"(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"
Here is the false positive:
==f0bd0d77==============================
Request: xxx.xxx.xxx.xxx xxx.xxx.xxx.239 - - [27/Oct/2006:20:59:48
-0400] "POST /dwmail/compose.php HTTP/1.1" 500 538
"http://xxx.xxx.xxx.xxx/dwmail/compose.php?sessionid=da39ebd39c7b6489a03c212216c64627"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1 1.5))"
RUKrg9EI6AoAAA6sCDg "-"
-----------------------------------------
-POST /dwmail/compose.php HTTP/1.1
----------------: ----- -------
Accept: */*
Accept-Language: en-us
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 6332
Content-Type: multipart/form-data;
boundary=---------------------------7d62c0102e02a4
Host: xxx.xxx.xxx.xxx
Referer:
http://xxx.xxx.xxx.xxx/dwmail/compose.php?sessionid=da39ebd39c7b6489a03c212216c64627
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; (R1
1.5))
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match
"(((URL|SRC|HREF|LOWSRC)[\\s]*=)|(url[\\s]*[\\(]))[\\s]*[\\'\"]*[\\x09\\x0a\\x0b\\x0c\\x0d]*j[\\x09\\x0a\\x0b\\x0c\\x0d]*a[\\x09\\x0a\\x0b\\x0c\\x0d]*v[\\x09\\x0a\\x0b\\x0c\\x0d]*a[\\x09\\x0a\\x0b\\x0c\\x0d]*s[\\x09\\x0a\\x0b\\x0c\\x0d]*c[\\x09\\x0a\\x0b\\x0c\\x0d]*r[\\x09\\x0a\\x0b\\x0c\\x0d]*i[\\x09\\x0a\\x0b\\x0c\\x0d]*p[\\x09\\x0a\\x0b\\x0c\\x0d]*t[\\x09\\x0a\\x0b\\x0c\\x0d]*[\\:]"
at POST_PAYLOAD [severity "EMERGENCY"]
-------
thx,
SW
More information about the Modsecurity
mailing list