We have some issues with 960024 rule of CRS 2.2.2 here.
Our native language is Brazilian Portuguese, UTF-8 enconding (Django),
and when we have some ARG by POST with special caracter content of our
language (like "Ç" for example), we get this modsecurity log:
Message: Access denied with code 403 (phase 2). Pattern match
"\\W{4,}" at ARGS:descricao_procedencia. [file
"/dbs1/www/apache2/conf/modsecurity/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "509"] [id "960024"] [rev "2.2.2"] [msg "SQL Character Anomaly
Detection Alert - Repetative Non-Word Characters"] [data
"\xc3\x87\xc3\x83"]
The uncoding can be done this way in a python shell:
>>> import urllib
>>> b=urllib.unquote_plus('4%C2%AA+COORDENADORIA+REGIONAL+DE+EDUCA%C3%87%C3%83O')
>>> print b
4ª COORDENADORIA REGIONAL DE EDUCAÇÃO
We have enabled the option of UTF-8 enconding in modsecurity_crs_10_config.conf:
SecAction
"phase:1,id:'981216',t:none,nolog,pass,setvar:tx.crs_validate_utf8_encoding=1"
How can I solve this issue ?
Thanks in advance.
--
Jeronimo Zucco
http://jczucco.blogspot.com
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
