Re: [mod-security-users] Piwik appears to trigger SQL injection attack
Brought to you by:
victorhora,
zimmerletw
From: Organic S. <web...@or...> - 2011-07-21 21:03:19
|
Still triggers unfortunately. Will send you the whole audit log privately if that would help ? -- Thanks, Organic Spider | Weaving Open Source Technology ----- Original Message ----- From: "Ryan Barnett" <RBa...@tr...> To: "Organic Spider" <web...@or...> Cc: "Ryan Barnett" <RBa...@tr...>, mod...@li... Sent: Thursday, 21 July, 2011 9:20:01 PM Subject: Re: [mod-security-users] Piwik appears to trigger SQL injection attack Updated those rules today too - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_rules/modsecurity_crs_41_sql_injection_attacks.conf I think I will start forwarding my CRS SVN commits to the mail-list. Ryan On Jul 21, 2011, at 4:11 PM, Organic Spider <web...@or...> wrote: > Hi Ryan, > > Were you able to see the cookie issue ? > -- > Thanks, Organic Spider | Weaving Open Source Technology > ----- Original Message ----- > > From: "Ryan Barnett" <RBa...@tr...> > To: "Organic Spider" <web...@or...>, mod...@li... > Sent: Wednesday, 20 July, 2011 8:25:58 PM > Subject: Re: [mod-security-users] Piwik appears to trigger SQL injection attack > > I am finding the same issues with that particular rule when inspecting > Cookie data. I will be making a modification to that group of rules > shortly. In the meantime, I would comment out rule ID 973020. > > -Ryan > > On 7/20/11 3:22 PM, "Organic Spider" <web...@or...> wrote: > >> We run Piwik analytics (http://www.piwik.org) and when we enabled the >> latest crs rules the following was triggered: >> >> [Wed Jul 20 20:07:07 2011] [error] [client XXXXXXXXX] ModSecurity: Access >> denied with code 403 (phase 2). Operator GE matched 4 at >> TX:restricted_sqli_char_count. [file >> "/usr/local/apache/conf/modsecurity.d/crs/base_rules/modsecurity_crs_41_sq >> l_injection_attacks.conf"] [line "551"] [id "981173"] [rev "2.2.1"] [msg >> "Restricted SQL Character Anomaly Detection Alert - Total # of special >> characters exceeded"] [data "9"] [hostname "www.XXXXXXXXXXX.com"] [uri >> "/favicon.ico"] [unique_id "TicnW01JBusAAGLvH0QAAAAK"] >> >> on inspection of the audit data I believe the issue is that within the >> data cookie information is specified: >> >> --c249ab3d-A-- >> [20/Jul/2011:20:06:00 +0100] TicnGE1JBusAAGLeaUUAAAAD XXXXXXXXXXXX 49255 >> XXXXXXXXXX 80 >> --c249ab3d-B-- >> GET /templates/versatilepurple/favicon.ico HTTP/1.1 >> Host: www.XXXXXXXXXXXXX.com >> Connection: keep-alive >> Accept: */* >> User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.30 (KHTML, like >> Gecko) Chrome/12.0.742.122 Safari/534.30 >> Accept-Encoding: gzip,deflate,sdch >> Accept-Language: en-US,en;q=0.8 >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 >> Cookie: e14ea84d63616bed2a1f655640c4fcdb=r103a8e79j2s77go4406j8nv04; >> _pk_ref.3.a8ac=%5B%22%22%2C%22%22%2C1311188753%2C%22http%3A%2F%2Fwww.googl >> e.co.uk%2Furl%3Fsa%3Dt%26source%3Dweb%26cd%3D4%26sqi%3D2%26ved%3D0CDkQFjAD >> %26url%3Dhttp%253A%252F%252Fwww.XXXXXXXXXXXXX.com%252F%26rct%3Dj%26q%3DXXX >> XXX%2520XXXXXX%2520XXXXX%2520XXXXXX%26ei%3DACcnTo-gLs3z-gaN0NSFDA%26usg%3D >> AFQjCNEq7clDRH5NuO6nkWYNnTHwg18TDw%26sig2%3D91yGrSmokbFQY3hKkVnIiA%22%5D; >> _pk_id.3.a8ac=f266a671c4a66678.1311188753.1.1311188753.1311188753.; >> _pk_ses.3.a8ac=* >> >> --c249ab3d-F-- >> HTTP/1.1 403 Forbidden >> Content-Length: 239 >> Keep-Alive: timeout=5, max=97 >> Connection: Keep-Alive >> Content-Type: text/html; charset=iso-8859-1 >> >> Any thoughts on how to stop this rule from triggering when its Piwik >> tracking data ? >> -- >> Thanks, >> Organic Spider | Weaving Open Source Technology >> >> -------------------------------------------------------------------------- >> ---- >> 10 Tips for Better Web Security >> Learn 10 ways to better secure your business today. Topics covered >> include: >> Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, >> security Microsoft Exchange, secure Instant Messaging, and much more. >> http://www.accelacomm.com/jaw/sfnl/114/51426210/ >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php > > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > > ------------------------------------------------------------------------------ > 5 Ways to Improve & Secure Unified Communications > Unified Communications promises greater efficiencies for business. UC can > improve internal communications as well as offer faster, more efficient ways > to interact with customers and streamline customer service. Learn more! > http://www.accelacomm.com/jaw/sfnl/114/51426253/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |