From centos at kral.no  Mon Jan 15 07:07:22 2007
From: centos at kral.no (=?us-ascii?Q?Havard_Hebnes?=)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] False positive
Message-ID: <002d01c7389d$b668a240$0800000a@hebnes>

Hello.

Is it possible to fix this false positive? Thanks :)

==da7f6d3a==============================
Request: www.domain.com 00.00.00.00 - - [15/Jan/2007:12:58:08 +0100] "GET
/typo3/tce_db.php?redirect=http%3A%2F%2Fwww.domain.com%2Ftypo3%2Falt_mod_fra
meset.php%3FfW%3D0%26nav%3D%2Ftypo3%2Falt_db_navframe.php%253F%26script%3D..
%252Ftypo3conf%252Fext%252Ftemplavoila%252Fmod1%252Findex.php%26id%3D&cmd[pa
ges][45][delete]=1&prErr=1&vC=d07c42e8dd HTTP/1.1" 500 1254
"http://www.domain.com/typo3/alt_db_navframe.php??currentSubScript=..%2Ftypo
3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php" "Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1" - "-"
----------------------------------------
GET
/typo3/tce_db.php?redirect=http%3A%2F%2Fwww.domain.com%2Ftypo3%2Falt_mod_fra
meset.php%3FfW%3D0%26nav%3D%2Ftypo3%2Falt_db_navframe.php%253F%26script%3D..
%252Ftypo3conf%252Fext%252Ftemplavoila%252Fmod1%252Findex.php%26id%3D&cmd[pa
ges][45][delete]=1&prErr=1&vC=d07c42e8dd HTTP/1.1
Host: www.domain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1)
Gecko/20061204 Firefox/2.0.0.1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://www.domain.com/typo3/alt_db_navframe.php??currentSubScript=..%2Ftypo3
conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php
Cookie: be_typo_user=b8bba60cb507d939ec7ee3e3c17f97e4;
PHPSESSID=133be8338d89ccd86a86c5b9ea417d20
mod_security-action: 500
mod_security-message: Access denied with code 500. Pattern match
"\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI [id "300018"]
[rev "1"] [msg "Generic PHP code injection protection"] [severity
"CRITICAL"]

HTTP/1.1 500 Internal Server Error
Last-Modified: Thu, 13 Jul 2006 20:06:43 GMT
ETag: "c022c-4e6-1a4b5ac0"
Accept-Ranges: bytes
Content-Length: 1254
Connection: close
Content-Type: text/html
--da7f6d3a--

From mike at gotroot.com  Mon Jan 15 11:26:21 2007
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] False positive
In-Reply-To: <002d01c7389d$b668a240$0800000a@hebnes>
References: <002d01c7389d$b668a240$0800000a@hebnes>
Message-ID: <45ABAB2D.2050704@gotroot.com>

I'll take a look it shortly and put out a fix.  Thanks for the report!

Havard Hebnes wrote:
> Hello.
> 
> Is it possible to fix this false positive? Thanks :)
> 
> ==da7f6d3a==============================
> Request: www.domain.com 00.00.00.00 - - [15/Jan/2007:12:58:08 +0100] "GET
> /typo3/tce_db.php?redirect=http%3A%2F%2Fwww.domain.com%2Ftypo3%2Falt_mod_fra
> meset.php%3FfW%3D0%26nav%3D%2Ftypo3%2Falt_db_navframe.php%253F%26script%3D..
> %252Ftypo3conf%252Fext%252Ftemplavoila%252Fmod1%252Findex.php%26id%3D&cmd[pa
> ges][45][delete]=1&prErr=1&vC=d07c42e8dd HTTP/1.1" 500 1254
> "http://www.domain.com/typo3/alt_db_navframe.php??currentSubScript=..%2Ftypo
> 3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php" "Mozilla/5.0 (Windows; U;
> Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1" - "-"
> ----------------------------------------
> GET
> /typo3/tce_db.php?redirect=http%3A%2F%2Fwww.domain.com%2Ftypo3%2Falt_mod_fra
> meset.php%3FfW%3D0%26nav%3D%2Ftypo3%2Falt_db_navframe.php%253F%26script%3D..
> %252Ftypo3conf%252Fext%252Ftemplavoila%252Fmod1%252Findex.php%26id%3D&cmd[pa
> ges][45][delete]=1&prErr=1&vC=d07c42e8dd HTTP/1.1
> Host: www.domain.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1)
> Gecko/20061204 Firefox/2.0.0.1
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
> 0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer:
> http://www.domain.com/typo3/alt_db_navframe.php??currentSubScript=..%2Ftypo3
> conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php
> Cookie: be_typo_user=b8bba60cb507d939ec7ee3e3c17f97e4;
> PHPSESSID=133be8338d89ccd86a86c5b9ea417d20
> mod_security-action: 500
> mod_security-message: Access denied with code 500. Pattern match
> "\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI [id "300018"]
> [rev "1"] [msg "Generic PHP code injection protection"] [severity
> "CRITICAL"]
> 
> HTTP/1.1 500 Internal Server Error
> Last-Modified: Thu, 13 Jul 2006 20:06:43 GMT
> ETag: "c022c-4e6-1a4b5ac0"
> Accept-Ranges: bytes
> Content-Length: 1254
> Connection: close
> Content-Type: text/html
> --da7f6d3a--
> 
> _______________________________________________
> Modsecurity mailing list
> Modsecurity@gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity