Hello,
We are currently testing mod security and found this problem with a SQL
Injection rule..
What:
Modsecurity_crs_41_sql_injection_attacks
Rule:
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\b(\d+) ?(?:=|<>|<=>|<|>|!=)
?\1\b|[\'\"\`\´\'\'](\d+)[\'\"\`\´\'\'] ?(?:=|<>|<=>|<|>|!=)
?[\'\"\`\´\'\']\2\b|[\'\"\`\´\\'](\w+)[\'\"\`\´\'\'] ?(?:=|<>|<=>|<|>|!=)
?[\'\"\`\´\'\']\3\b|([\'\"\;\`\´\'\']*)?\s+(and|or)\s+([\s\'\"\`\´\'\']*)?\w+([\s\'\"\`\´\'\']*)?[=<>!]*([\s\'\"\`\´\'\']*)?\w+([\s\'\"\`\´\'\']*)?"
\
"phase:2,rev:'2.1.1',capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'SQL
Injection
Attack',id:'950901',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
Problem:
This rule blocks when anything with "a or b" or "a and b" (without the quotes),
is used in a field.
Robert Chumley | Edaptive Systems<http://www.edaptivesys.com/>
400 Red Brook Blvd, Ste 220, Owings Mills, MD 21117
O: 410.327.3366 x176 | C: 410-725-1295 |
[email protected]<mailto:[email protected]>
The contents of this e-mail and any attachments are intended solely for the use
of the named addressee(s) and may contain confidential and/or privileged
information. Any unauthorized use, copying, disclosure, or distribution of the
contents of this e-mail is strictly prohibited by the sender and may be
unlawful. If you are not the intended recipient, please notify the sender
immediately and delete this email. Thank you.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
