[Modsecurity] Gotroot mod_security rules not working with Apache 1.3.37

Michael Shinn mike at gotroot.com
Tue Sep 4 10:39:02 EDT 2007 

Thank you for the additional information.  

So is this happening for any and every query?  This appears to be
triggering for a localhost query, which is pretty strange itself.  Do
you have some kind of unique proxy query going on?

On Mon, 2007-09-03 at 21:05 -0700, Hex Star wrote:
> 
> 
> On 9/3/07, Michael Shinn <mike at gotroot.com> wrote:
>         Thank you for the report.  Can you send me your audit_log
>         entry for
>         this?  Without that information, I can't debug your problem.
>         
>         
> 
> Sure, here is its contents:
> 
> ==b620372a============================== 
> Request: 127.0.0.1 127.0.0.1 - - [03/Sep/2007:21:02:32 -0700] "GET /
> HTTP/1.1" 500 609 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:
> 1.8.1.6) Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)" - "-"
> ----------------------------------------
> GET / HTTP/1.1
> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=
> 0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Accept-Encoding: gzip,deflate
> Accept-Language: en-us,en;q=0.5
> Connection: keep-alive
> Host: localhost
> Keep-Alive: 300 
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)
> Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)
> mod_security-action: 500
> mod_security-message: Access denied with code 500. Pattern match
> "((select|grant|delete|insert|drop|alter|replace|truncate|update|
> create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\\*| |\
> \,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|
> a-z|0-9|\\*| |\\,]|\\'|UNION.*SELECT.*FROM)" at ARG("art_id")
> [severity "EMERGENCY"] 
> 
> HTTP/1.1 500 Internal Server Error
> Connection: close
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=iso-8859-1
> --b620372a--
> 
> ==ed56221b==============================
> Request: 127.0.0.1 127.0.0.1 - - [03/Sep/2007:21:03:09 -0700] "GET /
> HTTP/1.1" 500 609 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US;
> rv:1.8.1.6 ) Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)" - "-"
> ----------------------------------------
> GET / HTTP/1.1
> Accept: text/xml,application/xml,application/xhtml
> +xml,text/html;q=0.9,text/plain;q=0.8 ,image/png,*/*;q=0.5
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Accept-Encoding: gzip,deflate
> Accept-Language: en-us,en;q=0.5
> Cache-Control: max-age=0
> Connection: keep-alive
> Host: localhost
> Keep-Alive: 300 
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)
> Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)
> mod_security-action: 500
> mod_security-message: Access denied with code 500. Pattern match
> "((select|grant|delete|insert|drop|alter|replace|truncate|update|
> create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\\*| |\
> \,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|
> a-z|0-9|\\*| |\\,]|\\'|UNION.*SELECT.*FROM)" at ARG("art_id")
> [severity "EMERGENCY"] 
> 
> HTTP/1.1 500 Internal Server Error
> Connection: close
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=iso-8859-1
> --ed56221b--
> 
> ==0767020c==============================
> Request: 127.0.0.1 127.0.0.1 - - [03/Sep/2007:21:03:10 -0700] "GET /
> HTTP/1.1" 500 609 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US;
> rv:1.8.1.6 ) Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)" - "-"
> ----------------------------------------
> GET / HTTP/1.1
> Accept: text/xml,application/xml,application/xhtml
> +xml,text/html;q=0.9,text/plain;q=0.8 ,image/png,*/*;q=0.5
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Accept-Encoding: gzip,deflate
> Accept-Language: en-us,en;q=0.5
> Cache-Control: max-age=0
> Connection: keep-alive
> Host: localhost
> Keep-Alive: 300 
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)
> Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)
> mod_security-action: 500
> mod_security-message: Access denied with code 500. Pattern match
> "((select|grant|delete|insert|drop|alter|replace|truncate|update|
> create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\\*| |\
> \,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|
> a-z|0-9|\\*| |\\,]|\\'|UNION.*SELECT.*FROM)" at ARG("art_id")
> [severity "EMERGENCY"] 
> 
> HTTP/1.1 500 Internal Server Error
> Connection: close
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=iso-8859-1
> --0767020c--
> 
>

More information about the Modsecurity mailing list