Hi Christian,
kannst Du mal den vollständigen Request bzw. das AuditEvent dazu schicken?
Könnte es ggf sein, dass der Browser das Zeichen nicht URL-encoded sondern
irgendwie anders geschickt hat, und die "urlDecodeUni" Transformation dann
etwas daraus macht, was bei der Rule hängen bleibt?
Ich würde mir das gerne mal genauer anschauen, allerdings bräuchte ich dazu
am besten das Event (bitte vorher etwaige private Daten wie Session-ID, IP
usw. entfernen).
Gruß,
Chris
Am 23.08.2012 um 15:34 schrieb Christian Klossek <c.klos...@apodiscounter.de>:
> Hi,
>
> I'm using modsecurity 2.6.7 with CRS 2.2.5 on a debian squeeze system.
>
> Why is the rule 981318 triggering on a GET-param with a value of "ę"
> (Unicode U+0119)?
>
> I get this in my debug log (debug level 9):
> -------------------------------------
> SecRule
> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
> "@rx
> (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
> "phase:2,nolog,auditlog,rev:2.2.5,capture,t:none,t:urlDecodeUni,block,msg:'SQL
> Injection Attack: Common Injection Testing
> Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
>
> Expanded
> "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*"
> to "REQUEST_FILENAME|ARGS_NAMES:keywords|ARGS:keywords".
>
> T (0) urlDecodeUni: "/test.php"
> Transformation completed in 13 usec.
> Executing operator "rx" with param
> "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
> against REQUEST_FILENAME.
> Target value: "/test.php"
> Operator completed in 9 usec.
>
> T (0) urlDecodeUni: "keywords"
> Transformation completed in 13 usec.
> Executing operator "rx" with param
> "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
> against ARGS_NAMES:keywords.
> Target value: "keywords"
> Operator completed in 4 usec.
>
> T (0) urlDecodeUni: "\xc4\x99"
> Transformation completed in 14 usec.
> Executing operator "rx" with param
> "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
> against ARGS:keywords.
> Target value: "\xc4\x99"
> Added regex subexpression to TX.0: \x99
> Added regex subexpression to TX.1: \x99
> Operator completed in 38 usec.
> Setting variable: tx.msg=%{rule.msg}
> Resolved macro %{rule.msg} to: SQL Injection Attack: Common Injection
> Testing Detected
> ..
> ..
> -------------------------------------------
>
> Thanks for your help
>
> Christian
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
