Re: [mod-security-users] Rule breaks access to website

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi All,

So adding pass workds but it doesn't work as expected.

For example, I have a login page and I use ''''select * fromusers '''' to trigger the SQL injection rule 942190

With this in place:

# Never log passwords
SecAction "nolog,pass,phase:2,id:131,sanitiseArg:password,sanitiseArg:newPassword,sanitiseArg:oldPassword"

The website is accessible, but the log entry Is not sanitised:

Message: Warning. Pattern match "(?i:(?:[\"'`](?:;?\\s*?(?:having|select|union)\\b\\s*?[^\\s]|\\s*?!\\s*?[\"'`\\w])|(?:c(?:onnection_id|urrent_user)|database)\\s*?\\([^\\)]*?|u(?:nion(?:[\\w(\\s]*?select| select @)|ser\\s*?\\([^\\)]*?)|s(?:chema\\s*?\\([^\\)]*?|elect.*?\\w?user\\()|in ..." at ARGS:password. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "190"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: 'select* found within ARGS:password: ''''select* fromusers''''"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]

Am I missing something in order to blank out the matched data fields?

Thanks

Joe.

-----Original Message-----
From: Madden, Joe via mod-security-users <mod...@li...> 
Sent: 10 October 2019 08:21
To: mod...@li...
Cc: Madden, Joe <Joe...@mo...>
Subject: Re: [mod-security-users] Rule breaks access to website

Thank you all - I'll give it a try today!

Joe.

-----Original Message-----
From: Reindl Harald <h.r...@th...> 
Sent: 09 October 2019 15:53
To: mod...@li...
Subject: Re: [mod-security-users] Rule breaks access to website

Am 09.10.19 um 16:28 schrieb Madden, Joe via mod-security-users:
> Hi there,
> 
> I was kinda following this example here:
> 
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSpiderLabs%2FModSecurity%2Fwiki%2FReference-Manual-(v2.x&amp;data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&amp;sdata=eAKku%2FES4qBTsxoMbh7Gjj6cGfdD6TxWOuqi5YsZtb0%3D&amp;reserved=0) 
> 
> Where would the pass go just after nolog,?

it don't matter

,phase:1,pass,nolog,
,phase:1,nolog,pass,
,pass,phase:1,nolog,

it's all the same

_______________________________________________
mod-security-users mailing list
mod...@li...
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&amp;data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&amp;sdata=PmFMFalMqGYPt5fbg%2FP1%2B7JzuPrb7fyQyriU8NkKtjY%3D&amp;reserved=0
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&amp;data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&amp;sdata=7f654dDQwtspGxvh7FlJnORKrY4tBe%2FjdT5okic5dhg%3D&amp;reserved=0
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&amp;data=01%7C01%7Cjoe.madden%40mottmac.com%7Ca061d2cc4db8481a7d2408d74d52861e%7Ca2bed0c459574f73b0c2a811407590fb%7C0&amp;sdata=1yn8Q3vNZ11lPxUWsDcCtB6utZbUKEe4%2FwpOu6zHkns%3D&amp;reserved=0