-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there,
I've got a problem with modsecurity, modsecurity-crs and a little nasty unicode-symbol, the "MASCULINE ORDINAL INDICATOR" or in short: ยบ http://codepoints.net/U+00BA?lang=en This nasty symbol causes multiple sql-injection rules: Message: Pattern match "(?i:(?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((? ..." at ARGS:address[street]. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "209"] [id "981257"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: , n\xc2\xba 1, 1\xc2\xba - 1 found within ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1, 1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] Message: Pattern match "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select\\s+)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4 ..." at ARGS:address[street]. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \xc2\xba 1, 1 found within ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1, 1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] Message: Pattern match "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?\\*.+(?:x?or|div|like|between|and|id)\\W*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\d)|(?:\\^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:^[\\w\\s\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98-]+(?<=and\\s)(?<=or|xor ..." at ARGS:address[street]. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "245"] [id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data "Matched Data: \xc2\xba 1 found within ARGS:address[street]: C/ Mare de D\xc3\xa9u del Corredor, n\xc2\xba 1, 1\xc2\xba - 1\xc2\xaa"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] I've configured SecUnicodeCodePage 20127 SecUnicodeMapFile /etc/modsecurity/unicode.mapping and the rules are using t:urlDecodeUni but there are still these audit-events. I have no clue why, could someone help me with this? Best regards Jan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSii+7AAoJENEKhqzzuxPlfnUH/ikgzlTWu4e1CeLq7iuMK/cQ GJ9iZn4SgiX8fuiPVNaZVRxDMpYcf9fayyD/79F9K6TZpHIZnjRWqESon293svF/ Fp4yi43+TUZmfTSNROBSKAbjcJQJmUZlYeYkyibku3XTicylHXltsLEUccx/QHE/ +PlE0mfTmHKoLomh8bL3bhiF8ZjKdCy2Q9ogx6gUvcCnRnsWPgVJfQEywgLpZOw4 1rxuetEKa4E3zr9ZprXPOxCP+XlVhPw6G3NxGH74hL4iJg3wdRUoXbu9Uc7IyZiE wsAj01fYsr3Ud/V17C9W8xldy8dhjwTLFYqJSc4EnYzICF/0W/TwvAeTV11hNZM= =ZtYd -----END PGP SIGNATURE----- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
