|
From: Christian F. <chr...@ne...> - 2018-03-26 19:35:06
|
Hey Deanna, On Mon, Mar 26, 2018 at 11:12:20AM -0600, Deanna Stevenson wrote: > 8d85025e-H-- Message: Warning. Pattern match "(?i:(?:[\\d\\W]\\s+as\\s*?[\" > '`\\w]+\\s*?from)|(?:^[\\W\\d]+\\s*?(?:union|select|create| > rename|truncate|load|alter|delete|update|insert|desc)\\b) > |(?:(?:select|create|rename|truncate|load|alter|delete| > update|insert|desc)\\s+(?:(?:group_)concat|char|load ..." at ARGS:address1. > [file "/etc/modsec/sitebuyprod/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] > [line "451"] [id "942360"] [rev "2"] [msg "Detects concatenated basic SQL > injection and SQLLFI attempts"] *[data "Matched Data: 1922 ALTER found > within ARGS:address1: 1922 ALTER St PHILADELPHIA, PA 19146"*] [severity > "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag > "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag > "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag > "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag > "PCI/6.5.2"] You stumbled over this false positive here: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/997 You are far from the only one. It's just funny it took people almost a year to respond and since then, wherever we look, there is this FP. The 3.1/dev tree has an update to this rule merged in https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1013 It's probably best to use this updated rule fule. Good luck and sorry for the inconvenience. Christian -- Trust leaves on horseback but returns on foot. -- Donald Rumsfeld |
