Hi Subin, I have 2 question : 1) for : SecRuleUpdateTargetById 950120!ARGS: data_567 data_576 data is static but not the number, are there any solution for that 2) I don't understand /XXX/Register\.action
thank you. 2014-07-02 14:57 GMT+00:00 Thayyilekandy, Subin : Barclaycard US < sthayyile...@barclaycardus.com>: > If data_567 will always have the Url data you can do in your custom > rules file (AFTER the CRS rules) > > > > SecRuleUpdateTargetById 950120!ARGS: data_567 > > > > Or conditionally check the url particular to this request and allow the > parameter in your custom rules file (BRFORE the CRS rules) > > > > > > SecRule REQUEST_FILENAME "@rx /XXX/Register\.action" > "id:999008,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=950120;ARGS: > data_567 " > > > > > > > > Thanks > > > > *Subin * > > *Application Security consultant | GISTR* > > > > *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: > owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of *Ilyass > Kaouam > *Sent:* Wednesday, July 02, 2014 6:08 AM > *To:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* [Owasp-modsecurity-core-rule-set] FALSE POSITIVE > > > > Hello, > > > > Our website is a directory that is to say we always have users who insert > their data such as the URL of their website, télephonen, fax ... > > during validation by our team I noticed that the mo_security to prohibit > the request because it contains URL: http://www.companyhacham.sitew.com/ > > > > Do you have a solution (secure) to allow url ? > > Thank you > > > > log: > > > > > codeAction=1&entid=395342&bilid=345129&idMkt=518&denomination=&capital=100+000+&activite=COMPANY+HACHAM+offre+des+produits+et+services+de+grande+qualit%C3%A9+dans+les+domaines+de+%3A+Menuiserie+Aluminium%2C+PVC%2C+Inox%2C+Vitrine+en+Verre%2C+Cloisons+aluminium%2C+Cuisine+Moderne+Sur+Mesure%2C+Tablier+en+lames+Micro+perfor%C3%A9es%2C+Habillage+de+Fa%C3%A7ade.+(ALUCOBOND)%2C+Faux+Plafonds%2C+Mur+Rideau%2C+Moustiquaire%2C+les+Stores%2C+Travaux+divers.&effectif=0&effectifCadre=0&segmentEffectif=1&dateContribution=06%2F08%2F13+14%3A32&loginUser=sgh5% > 40hotmail.fr&emailUser=sgh5%40hotmail.fr > &id=518&denomination_validator=&rc_validator=&tribunal_validator=&fmj_validator=&capital_validator=&adresse_validator=&ville_validator=&activite_validator=&effectif_validator=&segmentEffectif_validator=&effectifCadre_validator=&telfaxmailweb_565=on&telfaxmailweb_565_validator=1&data_565=0618555477&type_565=1&idMktTelfaxmailweb_565=0&telfaxmailweb_566=on&telfaxmailweb_566_validator=1&data_566=companyhacham% > 40gmail.com > &type_566=3&idMktTelfaxmailweb_566=0&telfaxmailweb_567=on&telfaxmailweb_567_validator=1&data_567=http%3A%2F%2F*www.companyhacham.sitew.com > <http://www.companyhacham.sitew.com/>%2F&type_567=4&i* > dMktTelfaxmailweb_567=0&statut=1&remarque= > > --c307bc39-F-- > > HTTP/1.1 403 Forbidden > > Content-Length: 245 > > Connection: close > > Content-Type: text/html; charset=iso-8859-1 > > > > Message: Access denied with code 403 (phase 2). Match of "beginsWith > %{request_headers.host}" against "TX:1" required. [file > "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] > [line "163"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion > (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: > http://www.companyhacham.sitew.com/ found within TX:1: > www.companyhacham.sitew.com/"] [severity "CRITICAL"] [ver > "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag > "OWASP_CRS/WEB_ATTACK/RFI"] > > Barclaycard > > www.barclaycardus.com > > This email and any files transmitted with it may contain confidential > and/or proprietary information. It is intended solely for the use of the > individual or entity who is the intended recipient. Unauthorized use of > this information is prohibited. If you have received this in error, please > contact the sender by replying to this message and delete this material > from any system it may be on. > -- *Ilyass kaouam* *Systems administrator* * at Inforisk Group Finaccess * *European Masters in Information Technology* *Portable : (212) * *6 34 57 14 36**http://www.inforisk.ma <http://www.inforisk.ma>*
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
