Hi,
I'm having difficulty discovering which rule is causing a false positive
because it doesn't display an ID in the message.
To give a bit of background, I'm accessing the Transmission BitTorrent web
client via a reverse proxy.
Yesterday I decided to replace the aging interface with a better one
(Shift). In doing so I've had to disable a number of rules related to SQL
injection which is being caused by the web interface requesting/sending
information to the RPC interface (also behind the proxy).
Here is a message from the apache error log:
[Tue Jan 28 12:37:43 2014] [error] [client hidden] ModSecurity: Access
denied with code 403 (phase 2). Pattern match
"\\\\b(?i:having)\\\\b\\\\s+(\\\\d{1,10}|'[^=]{1,10}')\\\\s*?[=<>]|(?i:\\\\bexecute(\\\\s{1,5}[\\\\w\\\\.$]{1,5}\\\\s{0,3})?\\\\()|\\\\bhaving\\\\b
?(?:\\\\d{1,10}|[\\\\'\\"][^=]{1,10}[\\\\'\\"])
?[=<>]+|(?i:\\\\bcreate\\\\s+?table.{0,20}?\\\\()|(?i:\\\\blike\\\\W*?char\\\\W*?\\\\()|(?i:(?:(select(.*
..." at
ARGS_NAMES:{"method":"torrent-get","arguments":{"ids":[1],"fields":["activityDate","addedDate","bandwidthPriority","comment","corruptEver","creator","display","dateCreated","desiredAvailable","doneDate","downloadDir","downloadedEver","downloadLimit","downloadLimited","error","errorString","eta","files","fileStats","hashString","haveUnchecked","haveValid","honorsSessionLimits","id","index","isFinished","isPrivate","isStalled","leftUntilDone","location","magnetLink","manualAnnounceTime","maxConnectedPeers","metadataPercentComplete","name","peer-limit","peers","peersConnected","peersFrom","peersGettingFromUs","peersSendingToUs","percentDone","pieces","pieceCount","pieceSize","priorities","queuePosition
[hostname "hidden"] [uri "/transmission/rpc"] [unique_id
"Uuekl38AAQEAAGl0A0wAAAAF"]
Here is the related audit log:
--c0e6d529-A--
[28/Jan/2014:12:37:43 +0000] Uuekl38AAQEAAGl0A0wAAAAF hidden 59127 hidden
443
--c0e6d529-B--
POST /transmission/rpc HTTP/1.1
Host: hidden
Connection: keep-alive
Content-Length: 1095
Authorization: Basic hidden
Origin: https://hidden
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/32.0.1700.77 Safari/537.36
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.7.1
X-Requested-With: XMLHttpRequest
X-Transmission-Session-Id: KoILIz4o114SctLDgPVavN2EghQIxpbbXp49cBsSjVw8JVny
Referer: https://hidden/transmission/web/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: compact_display_state=false
--c0e6d529-C--
{"method":"torrent-get","arguments":{"ids":[1],"fields":["activityDate","addedDate","bandwidthPriority","comment","corruptEver","creator","display","dateCreated","desiredAvailable","doneDate","downloadDir","downloadedEver","downloadLimit","downloadLimited","error","errorString","eta","files","fileStats","hashString","haveUnchecked","haveValid","honorsSessionLimits","id","index","isFinished","isPrivate","isStalled","leftUntilDone","location","magnetLink","manualAnnounceTime","maxConnectedPeers","metadataPercentComplete","name","peer-limit","peers","peersConnected","peersFrom","peersGettingFromUs","peersSendingToUs","percentDone","pieces","pieceCount","pieceSize","priorities","queuePosition","rateDownload","rateUpload","recheckProgress","secondsDownloading","secondsSeeding","seedIdleLimit","seedIdleMode","seedRatioLimit","seedRatioMode","selected","sizeWhenDone","startDate","status","trackers","trackerAdd","trackerRemove","trackerReplace","trackerStats","totalSize","torrentFile","uploadedEver","uploadLimit","uploadLimited","uploadRatio","wanted","webseeds","webseedsSendingToUs"]}}
--c0e6d529-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 183
Keep-Alive: timeout=5, max=33
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--c0e6d529-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /transmission/rpc
on this server.</p>
</body></html>
--c0e6d529-H--
Message: Access denied with code 403 (phase 2). Pattern match
"\\b(?i:having)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*?[=<>]|(?i:\\bexecute(\\s{1,5}[\\w\\.$]{1,5}\\s{0,3})?\\()|\\bhaving\\b
?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"])
?[=<>]+|(?i:\\bcreate\\s+?table.{0,20}?\\()|(?i:\\blike\\W*?char\\W*?\\()|(?i:(?:(select(.*
..." at
ARGS_NAMES:{"method":"torrent-get","arguments":{"ids":[1],"fields":["activityDate","addedDate","bandwidthPriority","comment","corruptEver","creator","display","dateCreated","desiredAvailable","doneDate","downloadDir","downloadedEver","downloadLimit","downloadLimited","error","errorString","eta","files","fileStats","hashString","haveUnchecked","haveValid","honorsSessionLimits","id","index","isFinished","isPrivate","isStalled","leftUntilDone","location","magnetLink","manualAnnounceTime","maxConnectedPeers","metadataPercentComplete","name","peer-limit","peers","peersConnected","peersFrom","peersGettingFromUs","peersSendingToUs","percentDone","pieces","pieceCount","pieceSize","priorities","queuePosition
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1390912663932099 11850 (- - -)
Stopwatch2: 1390912663932099 11850; combined=8383, p1=338, p2=7959, p3=0,
p4=0, p5=86, sr=68, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/);
OWASP_CRS/2.2.8.
Server: Apache
Any help would be greatly appreciated.
Thanks.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
