[mod-security-users] UTF8 false positive?
Brought to you by:
victorhora,
zimmerletw
From: Joakim S. <jo...@as...> - 2007-05-29 20:50:05
|
Hi, I have implemented the Core rules dev version, with the rule: SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Ref erer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',,id:'950801',severity:'4'" Now when my mother in law, who has her domain on my server, tries to send an email from her Squirrelmail application, in some cases the above rule triggers. An important part of the fact is that she is Czech and uses a czech version of XP and Firefox, and not all but just some emails triggers this rule. I am trying to work with her to figure out what specific in her emails triggers this, but for some strange reason her failures shows up in the apache error log while so far only 1 of these have made it to the security console??? This her last 4 entries in the error log, [Tue May 29 21:18:45 2007] [error] [client 83.208.28.51] ModSecurity: Access denied with code 400 (phase 2). Invalid Unicode encoding: invalid byte value in character. [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.gentura.cz"] [uri "/webmail/src/compose.php"] [unique_id "u-ykKtXi4EIAABOQrJ0AAAAR"] [Tue May 29 21:50:25 2007] [error] [client 83.208.28.51] ModSecurity: Access denied with code 400 (phase 2). Invalid Unicode encoding: invalid byte value in character. [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.gentura.cz"] [uri "/webmail/src/move_messages.php"] [unique_id "LT7YD9Xi4EIAABOSrSkAAABY"] [Tue May 29 22:00:03 2007] [error] [client 83.208.28.51] ModSecurity: Access denied with code 400 (phase 2). Invalid Unicode encoding: invalid byte value in character. [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.gentura.cz"] [uri "/webmail/src/compose.php"] [unique_id "T6r20NXi4EIAABOQrMQAAAAQ"] [Tue May 29 22:01:01 2007] [error] [client 83.208.28.51] ModSecurity: Access denied with code 400 (phase 2). Invalid Unicode encoding: invalid byte value in character. [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.gentura.cz"] [uri "/webmail/src/compose.php"] [unique_id "Ux84-tXi4EIAABOQrMUAAAAJ"] But only the second one has been seen in the console. I am not sure if this will display properly here, but this is the request body of that call as copied from the console: msg=&mailbox=INBOX.Trash&startMessage=1&targetMailbox=INBOX.lektori&moveButt on=P \ %F8esunout&location=%2Fwebmail%2Fsrc%2Fright_main.php%3FPG_SHOWALL%3D0%26sor t%3D \ 0%26startMessage%3D1%26mailbox%3DINBOX.Trash&msg%5B0%5D=174 I am not able to judge there is something wrong with this coding and if so wether it's Squirrelmail to blaim or something else on my server? Regards, Joakim |