[Modsecurity] A little problem with excludes

Cristian Livadaru cristian at livadaru.net
Thu Oct 11 05:28:54 EDT 2007 

Hi modsecurity list,

I seem to have a little problem with the excludes

I have this in my Audit log:


==6d394431==============================
Request: www.foo.com 127.0.0.1 - - [11/Oct/2007:09:25:57 +0200]  
"POST /index.php? 
option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f6c69737 
4696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/1.1"  
403 285 "http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ 
openrealty, 
616374696f6e3d656469745f6c697374696e677326616d703b656469743d333639266164 
6d696e3d74727565/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: 
1.8.1.7) Gecko/20070914 Firefox/2.0.0.7" -  
"-"                                                    
----------------------------------------                                 
                        POST /index.php? 
option=com_cmsrealty&Itemid=4&openrealty=616374696f6e3d656469745f6c69737 
4696e677326616d703b656469743d3336392661646d696e3d74727565 HTTP/ 
1.1                                    Host:  
www.foo.com                                                              
   User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv: 
1.8.1.7) Gecko/20070914 Firefox/ 
2.0.0.7                                                                  
                           Accept: text/xml,application/ 
xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/ 
png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.foo.com/component/option,com_cmsrealty/Itemid,4/ 
openrealty, 
616374696f6e3d656469745f6c697374696e677326616d703b656469743d333639266164 
6d696e3d74727565/
Content-Type: application/x-www-form-urlencoded
Content-Length: 510
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match  
"((alter|create|drop)[[:space:]]+(column|database|procedure|table)| 
delete[[:space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"]  
[rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"]

510
action=update_listing&edit=369&title=Altbau-Miete&pclass%5B% 
5D=4&featured=no&edit_active=yes&mlsexport=no&or_owner=9&notes=&Adresse= 
Staudgasse&Stadt=Wien&Postleitzahl=1180&Preis=530&betr_kosten=&miete=&fu 
ll_desc=Nette+Kleine+Zimmer+und+Kabinett+Wohnung%2C+Einbauk%FCche%2C 
+sehr+ger%E4umig%2C+Fliesenbad%2C+Toilette+Etagenheizung.Ruhelage+und 
+AKH+N% 
E4he&Zimmer=2&Badezimmer=1&year_built=1970&sq_feet=45&status=Aktiv&home_ 
features%5B%5D=Einbauk%FCche&home_features%5B% 
5D=Gasetagenheizung&home_features%5B%5D=Lift

HTTP/1.1 403 Forbidden
Content-Length: 285
Keep-Alive: timeout=15, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--6d394431--


but in excludes.conf I have added:

# cms_realty
<LocationMatch "/index.php\?option=com_cmsrealty.*">
SecFilterRemove 300015
</LocationMatch>

I don't understand why this is still blocking. What am I doing wrong?

Regards, Cristian


--
Cristian Livadaru
http://livadaru.net




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071011/d84d8b88/attachment.html

More information about the Modsecurity mailing list