On Thursday 26 September 2013 15:31:01 Canell, Stephen E wrote:
> I am trying to understand what part of the data set in the "GET" is
> triggering rule 960911 to trigger. The "Match" section is listed.
> Thank you.
>
> 403|HTTP/1.1 403 Forbidden|Action: Intercepted (phase 1)|Message: Access
> denied with code 403 (phase 1). Match of "rx
> ^(?:(?:[a-z]{3,10}\\s+(?:\\w{3,7}?://[\\w\\-\\./]*(?::\\d+)?)?/[^?#]*(?:\\?
> [^#\\s]*)?(?:#[\\S]*)?|connect
> (?:\\d{1,3}\\.){3}\\d{1,3}\\.?(?::\\d+)?|options \\*)\\s+[\\w\\./]+|get
> /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?)$" against "REQUEST_LINE" required.
> [file
> "/usr/local/apache2/conf/extra/modsecurity/modsecurity_crs_20_protocol_viol
> ations.conf"] [line "37"] [id "960911"] [rev "2.2.3"] [msg "Invalid HTTP
> Request Line"] [data "GET
> /ci20/index.jsp?INDEX=0&PS=CA&postingToApply=8338773&POSTINGID=8338773&PT=1
> 2383 - Staff Assistant III, Section 391 Business
> Administration&APPLICATIONNAME=jplCA&SEQ=jobDetails&PID=8338773&BOARD_ID=Co
> mpliance_H2H&LOCALE=en_U HTTP/1.1"]
Hi Stephen,
I suspect this part: "get /[^?#]*(?:\\?[^#\\s]*)?(?:#[\\S]*)?"
Generally there shouldn't be plain spaces in URL. It should be urlencoded to
%20,
so you will have the whole parameter as
PT=12383%20-%20Staff%20Assistant%20III%2C%20Section%20391%20Business%20Administration
--
Vitaliy Krasheninnikov
Modern Payment Solution LLC
Lead software integration engineer
Phone: +78124381000 ext. 207
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
