If this is changed why only the matching section?
If this is a problem with the rule then all the (’‘) characters in the rule should be changed?
I think if this rule is changed then there are many more rules. for example 981318 and 981173 they have almost the same section in it.


2013/2/26 Ryan Barnett <ryan.barnett@owasp.org>

On 2/26/13 4:44 PM, "yersinia" <yersinia.spiros@gmail.com> wrote:

>Discussion of an issue is good, posting a patch - a merge of a topic
>branch - on github probably could be better.
>
>Best

Agreed.  If we need to update the rule(s), then issuing a PULL request in
GitHub would be best.

-Ryan


>
>2013/2/26, Brian Millett <bmillett@gmail.com>:
>> Is broke processing Thai language.
>>
>> In the activated rule modsecurity_crs_41_sql_injection_attacks.conf,
>> the last rule (id 981243) does not work when processing UTF8 character
>> set, in particular the Thai language.  When parsing a text field, this
>> rule is flagged because of the UTF8 not being set even though
>> setvar:tx.crs_validate_utf8_encoding=1 is being set.
>>
>> [Wed Feb 20 11:37:47 2013] [error] [client 156.45.31.186] ModSecurity:
>> Warning. Pattern match
>>
>>"(?i:(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?\\\\*.+(?:x
>>?or|div|like|between|and|id)\\\\W*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\
>>x80\\x98]\\\\d)|(?:\\\\^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|
>>(?:^[\\\\w\\\\s\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98-]+(?<=and\\\
>>\s)(?<=or|xor
>> ..."
>> at ARGS:tex_U361. [file
>>
>>"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injectio
>>n_attacks.conf"]
>> [line "256"] [id "981243"] [msg "Detects classic SQL injection probings
>> 2/2"]
>> [data "Matched Data:
>>
>>\\x99\\xe0\\xb8\\x84\\xe0\\xb8\\xb3\\xe0\\xb8\\x95\\xe0\\xb8\\xad\\xe0\\x
>>b8\\x9a\\xe0\\xb9\\x83\\xe0\\xb8\\x99\\xe0\\xb8\\x8a\\xe0\\xb9\\x88\\xe0\
>>\xb8\\xad\\xe0\\xb8\\x87\\xe0\\xb8\\x97\\xe0\\xb8\\xb5\\xe0\\xb9\\x88\\xe
>>0\\xb9\\x83\\xe0\\xb8\\xab\\xe0\\xb9\\x89\\xe0\\xb9\\x84\\xe0\\xb8\\xa7\\
>>xe0\\xb9\\x89\\xe0\\xb9\\x80\\xe0\\xb8\\x9e\\xe0\\xb8\\xb7\\xe0\\xb9\\x88
>>\\xe0\\xb8\\xad\\xe0\\xb8\\x94\\xe0\\xb8\\xb3\\xe0\\xb9\\x80\\xe0\\xb8\\x
>>99\\xe0\\xb8\\xb4\\xe0\\xb8\\x99
>> found within ARGS:tex_U361:
>>
>>\\xe0\\xb9\\x82\\xe0\\xb8\\x9b\\xe0\\xb8\\xa3\\xe0\\xb8\\x94\\xe0\\xb8\\x
>>9b\\xe0\\xb9\\x89\\xe0\\xb8\\xad\\xe0\\x..."]
>>
>> This is incorrect as the string being parsed is a Thai phrase
>> "การเชื่อมต่ออินเทอร์เน็ตไม่ตอบสนองภายในระยะเวลาที่กำหนด" that does not
>> contain
>> a right single quote, nor a left single quote
>> \\xe2\\x80\\x99\\xe2\\x80\\x98.  However, the phrase, when broken up,
>> does contain a \\x80.
>>
>> The part of the REGEX that is in violation is where the '=>' is below:
>>
>>
>>(?i:(?:[\"'`´’‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`´’‘]\d)|
>>     (?:\^[\"'`´’‘])|
>>
>>
>>(?:^[\w\s\"'`´’‘-]+(?<=and\s)(?<=or|xor|div|like|between|and\s)(?<=xor\s)
>>(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|
>>     (?:[\"'`´’‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`´’‘\d])|
>> =>  (?:[\"'`´’‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`´’‘])|
>>     (?:[\"'`´’‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|
>>     (?:[\"'`´’‘].*?\*\s*?\d)|
>>     (?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|
>>     (?:[()\*<>%+-][\w-]+[^\w\s]+[\"'`´’‘][^,]))
>>
>>
>> Testing this REGEX with pcregrep shows that it is because the UTF8
>> flag is not set:
>>
>> BAD:
>> [root@scap pcre-8.31]# echo
>> "การเชื่อมต่ออินเทอร์เน็ตไม่ตอบสนองภายในระยะเวลาที่กำหนด" | pcregrep
>>
>>"(?i:(?:[\"\'\`\´\’\‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"\'\`
>>\´\’\‘]\d)|(?:\^[\"\'\`\´\’\‘])|(?:^[\w\s\"\'\`\´\’\‘-]+(?<=and\s)(?<=or|
>>xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&
>>\&)\w+\()|(?:[\"\'\`\´\’\‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"\'\`\´\’\‘\d])
>>|(?:[\"\'\`\´\’\‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"\'\`\´\’\‘])|(?:[\"\'\`
>>\´\’\‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"\'\`\´\’\‘].*?\*\s*?\d)|(
>>?:[\"\'\`\´\’\‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[(
>>)\*<>%+-][\w-]+[^\w\s]+[\"\'\`\´\’\‘][^,]))"
>> การเชื่อมต่ออินเทอร์เน็ตไม่ตอบสนองภายในระยะเวลาที่กำหนด
>>
>> GOOD:
>> root@scap pcre-8.31]# echo
>> "การเชื่อมต่ออินเทอร์เน็ตไม่ตอบสนองภายในระยะเวลาที่กำหนด" | pcgregrep -u
>>
>>"(?i:(?:[\"\'\`\´\’\‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"\'\`
>>\´\’\‘]\d)|(?:\^[\"\'\`\´\’\‘])|(?:^[\w\s\"\'\`\´\’\‘-]+(?<=and\s)(?<=or|
>>xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&
>>\&)\w+\()|(?:[\"\'\`\´\’\‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"\'\`\´\’\‘\d])
>>|(?:[\"\'\`\´\’\‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"\'\`\´\’\‘])|(?:[\"\'\`
>>\´\’\‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"\'\`\´\’\‘].*?\*\s*?\d)|(
>>?:[\"\'\`\´\’\‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[(
>>)\*<>%+-][\w-]+[^\w\s]+[\"\'\`\´\’\‘][^,]))"
>>
>>
>> Turning on UTF8 still allows for that rule to work correctly as this
>> example shows:
>>
>> [root@scap pcre-8.31]# echo "’ @# #$% ‘" | pcregrep -u
>>
>>"(?i:(?:[\"\'\`\´\’\‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"\'\`
>>\´\’\‘]\d)|(?:\^[\"\'\`\´\’\‘])|(?:^[\w\s\"\'\`\´\’\‘-]+(?<=and\s)(?<=or|
>>xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&
>>\&)\w+\()|(?:[\"\'\`\´\’\‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"\'\`\´\’\‘\d])
>>|(?:[\"\'\`\´\’\‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"\'\`\´\’\‘])|(?:[\"\'\`
>>\´\’\‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"\'\`\´\’\‘].*?\*\s*?\d)|(
>>?:[\"\'\`\´\’\‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[(
>>)\*<>%+-][\w-]+[^\w\s]+[\"\'\`\´\’\‘][^,]))"""
>> ’ @# #$% ‘
>>
>>
>> Fix is to change the REGEX to turn on UTF8 for that area, or change
>>
>> (?:[\"\'\`\´\’\‘]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"\'\`\´\’\‘]) to be
>>
>>(?:[\"\'\`\´(*UTF8)\X{2018}(*UTF8)\X{2019}]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[
>>\"\'\`\´(*UTF8)\X{2018}(*UTF8)\X{2019}])
>>
>> The (*UTF8)\X{2018} set the UTF8 flag.
>>
>> Testing shows that a valid test still gets flaged, but the Thai phrase
>> does not:
>>
>> [root@scap pcre-8.31]# echo "’@##$%‘" | pcregrep --color
>>
>>"(?i:(?:[\"\'\`\´\’\‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"\'\`
>>\´\’\‘]\d)|(?:\^[\"\'\`\´\’\‘])|(?:^[\w\s\"\'\`\´\’\‘-]+(?<=and\s)(?<=or|
>>xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&
>>\&)\w+\()|(?:[\"\'\`\´\’\‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"\'\`\´\’\‘\d])
>>|(?:[\"\'\`\´(*UTF8)\X{2018}(*UTF8)\X{2019}]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?
>>[\"\'\`\´(*UTF8)\X{2018}(*UTF8)\X{2019}])|(?:[\"\'\`\´\’\‘]\s*?[^\w\s]+\s
>>*?[\W\d].*?(?:#|--))|(?:[\"\'\`\´\’\‘].*?\*\s*?\d)|(?:[\"\'\`\´\’\‘]\s*?(
>>x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s
>>]+[\"\'\`\´\’\‘][^,]))"
>> ’@##$%‘ [root@scap pcre-8.31]# echo
>> "การเชื่อมต่ออินเทอร์เน็ตไม่ตอบสนองภายในระยะเวลาที่กำหนด" | pcregrep
>>--color
>>
>>"(?i:(?:[\"\'\`\´\’\‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"\'\`
>>\´\’\‘]\d)|(?:\^[\"\'\`\´\’\‘])|(?:^[\w\s\"\'\`\´\’\‘-]+(?<=and\s)(?<=or|
>>xor|div|like|between|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&
>>\&)\w+\()|(?:[\"\'\`\´\’\‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"\'\`\´\’\‘\d])
>>|(?:[\"\'\`\´(*UTF8)\X{2018}(*UTF8)\X{2019}]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?
>>[\"\'\`\´(*UTF8)\X{2018}(*UTF8)\X{2019}])|(?:[\"\'\`\´\’\‘]\s*?[^\w\s]+\s
>>*?[\W\d].*?(?:#|--))|(?:[\"\'\`\´\’\‘].*?\*\s*?\d)|(?:[\"\'\`\´\’\‘]\s*?(
>>x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<>%+-][\w-]+[^\w\s
>>]+[\"\'\`\´\’\‘][^,]))"
>>
>>
>> Correct Rule then is (sorry for the wrap)
>>
>> SecRule
>>
>>REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES
>>|ARGS|XML:/*
>>
>>"(?i:(?:[\"'`´’‘]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`´’‘]\d)
>>|(?:\^[\"'`´’‘])|(?:^[\w\s\"'`´’‘-]+(?<=and\s)(?<=or|xor|div|like|between
>>|and\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:[\"'`´’
>>‘][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`´’‘\d])|(?:[\"'`´(*UTF8)\X{2018}(*UTF
>>8)\X{2019}]]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`´(*UTF8)\X{2018}(*UTF8)\X{2
>>019}]])|(?:[\"'`´’‘]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`´’‘].*?\*\
>>s*?\d)|(?:[\"'`´’‘]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?
>>:[()\*<>%+-][\w-]+[^\w\s]+[\"'`´’‘][^,]))"
>> "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects classic SQL
>> injection probings
>> 2/2',id:'981243',tag:'OWASP_CRS/WEB_ATTACK/SQLI',logdata:'Matched Data:
>> %{TX.0} found within %{MATCHED_VAR_NAME}:
>>
>>%{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setva
>>r:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomal
>>y_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_nam
>>e}=%{tx.0}'"
>>
>> --
>> Brian Millett
>> "I suppose there'll be a war now, hmm? All that running around and
>>  shooting one another. You would have thought sooner or later it would
>>  go out of fashion."
>>    -- [ Londo, "The Gathering"]
>>
>>
>>-------------------------------------------------------------------------
>>-----
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_feb
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>
>--
>Inviato dal mio dispositivo mobile
>
>--------------------------------------------------------------------------
>----
>Everyone hates slow websites. So do we.
>Make your web apps faster with AppDynamics
>Download AppDynamics Lite for free today:
>http://p.sf.net/sfu/appdyn_d2d_feb
>_______________________________________________
>mod-security-users mailing list
>mod-security-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>http://www.modsecurity.org/projects/commercial/rules/
>http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/