Thanks,

 

This is definitely a bug in the Core Rule Set. You can use this rule instead of the one you have, until I issue an additional version of the core rule set:

 

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \

        "deny,log,status:501,id:50013,severity:2,msg:'PHP Injection Attack'"

 

Or for version 1.2:

 

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \

        "deny,log,status:501,id:950013,severity:2,msg:'PHP Injection Attack'"

 

~ Ofer

 

 


From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Dan Rossi
Sent: Thursday, November 30, 2006 5:40 AM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] turning off filter for xml in post payload

 

It seems this rule is trapping xml in postpayloads,

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?)" \

        "auditlog,id:50013,phase:2,severity:4,msg:'(default/generic_attacks.conf) PHP Injection Attack'"

is there a way to add to allow xml of <?xml in that rule or would this be correct ?


#SecRule !ARGS:TNO "chain,auditlog,id:50013,severity:4,msg:'(custom.conf) PHP Injection Attack'"
SecRule ARGS:TNO "!(<\?xml)" "chain,auditlog,id:50013,severity:4,msg:'(custom.conf) PHP Injection Attack'"

the first one didnt work