Jeronimo Zucco <jczucco@...> writes:
>
> We have some issues with 960024 rule of CRS 2.2.2 here.
>
> Our native language is Brazilian Portuguese, UTF-8 enconding (Django),
> and when we have some ARG by POST with special caracter content of our
> language (like "Ç" for example), we get this modsecurity log:
>
> Message: Access denied with code 403 (phase 2). Pattern match
> "\\W{4,}" at ARGS:descricao_procedencia. [file
>
"/dbs1/www/apache2/conf/modsecurity/crs/activated_rules/modsecurity_crs_41_sql_i
njection_attacks.conf"]
> [line "509"] [id "960024"] [rev "2.2.2"] [msg "SQL Character Anomaly
> Detection Alert - Repetative Non-Word Characters"] [data
> "\xc3\x87\xc3\x83"]
>
> The uncoding can be done this way in a python shell:
>
> >>> import urllib
> >>>
b=urllib.unquote_plus('4%C2%AA+COORDENADORIA+REGIONAL+DE+EDUCA%C3%87%C3%83O')
> >>> print b
> 4ª COORDENADORIA REGIONAL DE EDUCAÇÃO
>
> We have enabled the option of UTF-8 enconding in
modsecurity_crs_10_config.conf:
>
> SecAction
"phase:1,id:'981216',t:none,nolog,pass,setvar:tx.crs_validate_utf8_encoding=1"
>
> How can I solve this issue ?
>
> Thanks in advance.
>
I've got the same issue - just disabled this particular rule.
try this:
edit /etc/httpd/conf.d/mod_security.conf
add the following line:
SecRuleRemoveById 960024
then reload the webserver.
check logs, if you will find any other issues try to remove another rule (I had
to disable 4 rules before my encoding was accepted).
Regards,
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
