[Modsecurity] False positive

Michael Shinn mike at gotroot.com
Mon Jan 15 11:26:21 EST 2007 

I'll take a look it shortly and put out a fix.  Thanks for the report!

Havard Hebnes wrote:
> Hello.
> 
> Is it possible to fix this false positive? Thanks :)
> 
> ==da7f6d3a==============================
> Request: www.domain.com 00.00.00.00 - - [15/Jan/2007:12:58:08 +0100] "GET
> /typo3/tce_db.php?redirect=http%3A%2F%2Fwww.domain.com%2Ftypo3%2Falt_mod_fra
> meset.php%3FfW%3D0%26nav%3D%2Ftypo3%2Falt_db_navframe.php%253F%26script%3D..
> %252Ftypo3conf%252Fext%252Ftemplavoila%252Fmod1%252Findex.php%26id%3D&cmd[pa
> ges][45][delete]=1&prErr=1&vC=d07c42e8dd HTTP/1.1" 500 1254
> "http://www.domain.com/typo3/alt_db_navframe.php??currentSubScript=..%2Ftypo
> 3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php" "Mozilla/5.0 (Windows; U;
> Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1" - "-"
> ----------------------------------------
> GET
> /typo3/tce_db.php?redirect=http%3A%2F%2Fwww.domain.com%2Ftypo3%2Falt_mod_fra
> meset.php%3FfW%3D0%26nav%3D%2Ftypo3%2Falt_db_navframe.php%253F%26script%3D..
> %252Ftypo3conf%252Fext%252Ftemplavoila%252Fmod1%252Findex.php%26id%3D&cmd[pa
> ges][45][delete]=1&prErr=1&vC=d07c42e8dd HTTP/1.1
> Host: www.domain.com
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1)
> Gecko/20061204 Firefox/2.0.0.1
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
> 0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer:
> http://www.domain.com/typo3/alt_db_navframe.php??currentSubScript=..%2Ftypo3
> conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php
> Cookie: be_typo_user=b8bba60cb507d939ec7ee3e3c17f97e4;
> PHPSESSID=133be8338d89ccd86a86c5b9ea417d20
> mod_security-action: 500
> mod_security-message: Access denied with code 500. Pattern match
> "\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI [id "300018"]
> [rev "1"] [msg "Generic PHP code injection protection"] [severity
> "CRITICAL"]
> 
> HTTP/1.1 500 Internal Server Error
> Last-Modified: Thu, 13 Jul 2006 20:06:43 GMT
> ETag: "c022c-4e6-1a4b5ac0"
> Accept-Ranges: bytes
> Content-Length: 1254
> Connection: close
> Content-Type: text/html
> --da7f6d3a--
> 
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity

More information about the Modsecurity mailing list