From zeki at zeki.ch  Wed Feb 21 07:32:20 2007
From: zeki at zeki.ch (Zekeria Oezdemir)
Date: Wed, 21 Feb 2007 13:32:20 +0100
Subject: [Modsecurity] false positive
Message-ID: <45DC3BD4.3060806@zeki.ch>

hi there
here a false positiv with a shop based on oscommerce in rules.conf


thanks for fixing,
zeki



***********
==4c3c8c26==============================
Request: www.domain.ch 217.8.212.114 - - [21/Feb/2007:13:20:17 +0100] 
"POST /admin/categories.php?cPath=1&pID=10226&action=new_product_preview 
HTTP/1.1" 500 1266 
"http://www.domain.ch/admin/categories.php?cPath=1&pID=10226&action=new_product" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; i-NavFourF; 
.NET CLR 1.1.4322)" - "-"
----------------------------------------
POST /admin/categories.php?cPath=1&pID=10226&action=new_product_preview 
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/vnd.ms-excel, application/vnd.ms-powerpoint, 
application/msword, application/x-shockwave-flash, */*
Referer: 
http://www.domain.ch/admin/categories.php?cPath=1&pID=10226&action=new_product
Accept-Language: de-ch
Content-Type: multipart/form-data; 
boundary=---------------------------7d728413b09bc
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
i-NavFourF; .NET CLR 1.1.4322)
Host: www.blackberry-shop.ch
Content-Length: 8152
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: osCAdminID=r58n9hf041975iufsv455q6be6
Authorization: Basic dG1lOml0YnNpbmVz
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match 
"!/imp/login\\.php" at HEADER("Referer") [id "300018"] [rev "3"] [msg 
"Generic PHP code injection protection via ARGS"] [severity "CRITICAL"]