If data_567 will always have the Url data you can do in your custom rules file (AFTER the CRS rules)
SecRuleUpdateTargetById 950120!ARGS: data_567 Or conditionally check the url particular to this request and allow the parameter in your custom rules file (BRFORE the CRS rules) SecRule REQUEST_FILENAME "@rx /XXX/Register\.action" "id:999008,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=950120;ARGS: data_567 " Thanks Subin Application Security consultant | GISTR From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Ilyass Kaouam Sent: Wednesday, July 02, 2014 6:08 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] FALSE POSITIVE Hello, Our website is a directory that is to say we always have users who insert their data such as the URL of their website, télephonen, fax ... during validation by our team I noticed that the mo_security to prohibit the request because it contains URL: http://www.companyhacham.sitew.com/ Do you have a solution (secure) to allow url ? Thank you log: codeAction=1&entid=395342&bilid=345129&idMkt=518&denomination=&capital=100+000+&activite=COMPANY+HACHAM+offre+des+produits+et+services+de+grande+qualit%C3%A9+dans+les+domaines+de+%3A+Menuiserie+Aluminium%2C+PVC%2C+Inox%2C+Vitrine+en+Verre%2C+Cloisons+aluminium%2C+Cuisine+Moderne+Sur+Mesure%2C+Tablier+en+lames+Micro+perfor%C3%A9es%2C+Habillage+de+Fa%C3%A7ade.+(ALUCOBOND)%2C+Faux+Plafonds%2C+Mur+Rideau%2C+Moustiquaire%2C+les+Stores%2C+Travaux+divers.&effectif=0&effectifCadre=0&segmentEffectif=1&dateContribution=06%2F08%2F13+14%3A32&loginUser=sgh5%40hotmail.fr<http://40hotmail.fr/>&emailUser=sgh5%40hotmail.fr<http://40hotmail.fr/>&id=518&denomination_validator=&rc_validator=&tribunal_validator=&fmj_validator=&capital_validator=&adresse_validator=&ville_validator=&activite_validator=&effectif_validator=&segmentEffectif_validator=&effectifCadre_validator=&telfaxmailweb_565=on&telfaxmailweb_565_validator=1&data_565=0618555477&type_565=1&idMktTelfaxmailweb_565=0&telfaxmailweb_566=on&telfaxmailweb_566_validator=1&data_566=companyhacham%40gmail.com<http://40gmail.com/>&type_566=3&idMktTelfaxmailweb_566=0&telfaxmailweb_567=on&telfaxmailweb_567_validator=1&data_567=http%3A%2F%2Fwww.companyhacham.sitew.com<http://www.companyhacham.sitew.com/>%2F&type_567=4&idMktTelfaxmailweb_567=0&statut=1&remarque= --c307bc39-F-- HTTP/1.1 403 Forbidden Content-Length: 245 Connection: close Content-Type: text/html; charset=iso-8859-1 Message: Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "163"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: http://www.companyhacham.sitew.com/ found within TX:1:www.companyhacham.sitew.com/<http://www.companyhacham.sitew.com/>"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/RFI"] Barclaycard www.barclaycardus.com This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
