[mod-security-users] False positive "un"-whitelistable
Brought to you by:
victorhora,
zimmerletw
From: David R <re...@li...> - 2012-07-30 13:49:19
|
Hello, For a starnge reason i cannot manage to whitelist a specific argument... Below all rules i tried followed the modsec_audit.log extracton. Any help would be really appreciated === <Location /url/login.php> SecRuleUpdateTargetById 981318 "!ARGS:email" </Location> === <LocationMatch /url/login.php> SecRuleUpdateTargetById 981318 "!ARGS:email" </LocationMatch> === SecRule REQUEST_FILENAME "@streq /url/login.php" "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981242:!ARGS:email" === SecRule REQUEST_URI ".*/url/login.php.*" "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981242:!ARGS:email" === even this doesn't work: SecRuleUpdateTargetById 981318 "!ARGS:email" === also tried with phase=2 and both phase=1 then phase=2 POST /url/login.php HTTP/1.1 Host: obfuscated.com Connection: keep-alive Content-Length: 130 Cache-Control: max-age=0 Origin: http://obfuscated.com User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.11 (KHTML, like Gecko) Ubuntu/10.04 Chromium/17.0.963.79 Chrome/17.0.963.79 Safari/535.11 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://obfuscated.com/url/login.php Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_language=fr; PHPSESSID=ae90732196ee14953a22ddcbadfeb42f; RT=.2; obfuscated=.web4; obfuscated-comp=0; ysm_bbk1EIOR5LTD5HQOR6UROJ48THLME8=14424707; testing_cookie; __utma=56222831.1398252698.1336980991.1343640089.1343650146.44; __utmb=56222831.8.10.1343650146; __utmc=56222831; __utmz=56222831.1336980991.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) --2fdeee79-C-- option=m&state=200&agefrom=18&ageto=99&sorttype=0&ordertype=0&order=1&email=0%22 &srname=Naonkatite_7&emailaddress=&filtersubmit=GO --2fdeee79-F-- HTTP/1.1 302 Found Location: http://obfuscated.com/page_notfound.html Content-Length: 313 Connection: close Content-Type: text/html; charset=iso-8859-1 --2fdeee79-H-- Message: [file "/etc/httpd/modsecurity.d/modsecurity_crs_41_sql_injection_attacks.conf"] [line "68"] [id "981318"] [rev "2.2.4"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "\x22"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Access denied with redirection to http://obfuscated.com/page_notfound.html using status 302 (phase 2). Pattern match "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+| [\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" at ARGS:email. Action: Intercepted (phase 2) Apache-Handler: proxy-server Stopwatch: 1343655283114172 5042 (- - -) Stopwatch2: 1343655283114172 5042; combined=4123, p1=411, p2=3669, p3=0, p4=0, p5=42, sr=0, sw=1, l=0, gc=0 WAF: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); 201001071602; 201001071602. Server: Apache/2.2.15 (CentOS |