Hi Steve!
Am 05.03.2013 um 19:20 schrieb "Canell, Stephen E (1734)"
<stephen.e.can...@jpl.nasa.gov>:
> The following in ARGS: is being identified as SQL Injection:
> TAOP01U10RhvxuuKxxempg01U10monamzy1
>
> Message: Access denied with code 403 (phase 2). Pattern match
> "(?i:(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*(x?or|div|like|
> between|and)\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\
> x98)$)|(?:(?:^[(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x ..." at
> ARGS:TAOP01U10RhvxuuKxxempg01U10monamzy1. [file "/usr/local/apache2/conf
> /extra/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line
> "565"] [id "981242"] [msg "Detects classic SQL injection pr
> obings 1/2"] [data "7 Andr"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
> [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
The "TAOP01U10RhvxuuKxxempg01U10monamzy1" string is NOT detected as SQL
injection, but simply
the name of the PARAMETER that contains the malicious data. The data that
triggers your rule
is
"7 Andr"
which you can see in the [data "7 Andr"] part of the rule message.
The problem is probably, that the regex of the rule has something like
...|div|like|between|and)\\s*...
which says "something with 'and' followed by ANY number of whitespaces".
Unfortunately "ANY"
also includes 0. So "andr" matches "and" followed by 0 whitespaces and the "r"
probably matches
some of the rest of the complex regex.
I hope that makes sence :-)
Best regards,
Chris
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
