All,
Not sure if this is the correct way to report false positives, but we are
testing our app works following upgrade to mod_security and to core ruleset
2.2.1. We are now hitting a false positive on rule 981244. I believe the
relevant section of the logs is shown below. Our app needs to login via a
http call, and it appears that the rule is rejecting the call as it contains
a parameter "j_username". We have turned the rule off for this particular
url using a location match shown below which seems to overcome the issue. Is
this the correct way, or is this really a false positive? Rule says it is
trying to catch SQL login attempts
<LocationMatch "/secure*">
SecRuleRemoveById 981244
</LocationMatch>
Thanks for any pointers
Chris
--23480000-B--
POST /secure/j_acegi_security_check
HTTP/1.1
Host: <host name>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://<host name>/internet/shop
Cookie: JSESSIONID=872EE0D25BB05A9D8376C67A9808AB18
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
--23480000-C--
j_username=<username>&j_password=<password>
--23480000-F--
HTTP/1.1 412 Precondition Failed
Last-Modified: Tue, 25 Jan 2011 18:00:46 GMT
ETag: "100000002f836-18e-49aaf7eea50aa"
Accept-Ranges: bytes
Vary:Accept-Encoding
Content-Encoding: gzip
Content-Length: 262
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
--23480000-H-- Message: Access denied with code 412 (phase 2). Pattern match
"(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'|
..." at ARGS:j_username. [file
"D:/apps/Apache2.2/conf/modsecurity2/modsecurity-crs_2.2.1/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "560"] [id "981244"] [msg "Detects basic SQL authentication bypass
attempts 1/3"] [data "like"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
[tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Action: Intercepted (phase 2)
Stopwatch: 1312456696272672 15001 (- - -)
Stopwatch2: 1312456696272672 15001; combined=14001, p1=2001, p2=8000, p3=0,
p4=0, p5=2000, sr=2001, sw=0, l=0, gc=2000
Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/); core
ruleset/2.2.1.
Server: Apache
WebApp-Info: "rbge" "-" "-" /); core ruleset/2.1.2. Server: Apache
WebApp-Info: "rbge" "-" "-"
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
