1) for : SecRuleUpdateTargetById 950120!ARGS: data_567 data_576
data is static but not the number, are there any solution for that
- Are you saying that any of your parameters
data_000 – data _999 can have a url data and you want to allow that ? This rule
is meant for file inclusion attempts and will look for URL patterns so if you
want to allow urls in any/all of your parameters for this particular request
alone you might just want to conditionally remove the rule itself for this
request
SecRule REQUEST_FILENAME "@rx /XXX/your request url"
"id:999008,phase:2,t:none,nolog,pass,ctl:removeRuleById =950120 "
2) I don't understand /XXX/Register\.action
This was just an example for an URL , you should
substitute it with your request url
2014-07-02 14:57 GMT+00:00 Thayyilekandy, Subin : Barclaycard US
<sthayyile...@barclaycardus.com<mailto:sthayyile...@barclaycardus.com>>:
If data_567 will always have the Url data you can do in your custom rules file
(AFTER the CRS rules)
SecRuleUpdateTargetById 950120!ARGS: data_567
Or conditionally check the url particular to this request and allow the
parameter in your custom rules file (BRFORE the CRS rules)
SecRule REQUEST_FILENAME "@rx /XXX/Register\.action"
"id:999008,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=950120;ARGS:
data_567 "
Thanks
Subin
Application Security consultant | GISTR
From:
owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>
[mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>]
On Behalf Of Ilyass Kaouam
Sent: Wednesday, July 02, 2014 6:08 AM
To:
owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: [Owasp-modsecurity-core-rule-set] FALSE POSITIVE
Hello,
Our website is a directory that is to say we always have users who insert their
data such as the URL of their website, télephonen, fax ...
during validation by our team I noticed that the mo_security to prohibit the
request because it contains URL: http://www.companyhacham.sitew.com/
Do you have a solution (secure) to allow url ?
Thank you
log:
codeAction=1&entid=395342&bilid=345129&idMkt=518&denomination=&capital=100+000+&activite=COMPANY+HACHAM+offre+des+produits+et+services+de+grande+qualit%C3%A9+dans+les+domaines+de+%3A+Menuiserie+Aluminium%2C+PVC%2C+Inox%2C+Vitrine+en+Verre%2C+Cloisons+aluminium%2C+Cuisine+Moderne+Sur+Mesure%2C+Tablier+en+lames+Micro+perfor%C3%A9es%2C+Habillage+de+Fa%C3%A7ade.+(ALUCOBOND)%2C+Faux+Plafonds%2C+Mur+Rideau%2C+Moustiquaire%2C+les+Stores%2C+Travaux+divers.&effectif=0&effectifCadre=0&segmentEffectif=1&dateContribution=06%2F08%2F13+14%3A32&loginUser=sgh5%40hotmail.fr<http://40hotmail.fr/>&emailUser=sgh5%40hotmail.fr<http://40hotmail.fr/>&id=518&denomination_validator=&rc_validator=&tribunal_validator=&fmj_validator=&capital_validator=&adresse_validator=&ville_validator=&activite_validator=&effectif_validator=&segmentEffectif_validator=&effectifCadre_validator=&telfaxmailweb_565=on&telfaxmailweb_565_validator=1&data_565=0618555477&type_565=1&idMktTelfaxmailweb_565=0&telfaxmailweb_566=on&telfaxmailweb_566_validator=1&data_566=companyhacham%40gmail.com<http://40gmail.com/>&type_566=3&idMktTelfaxmailweb_566=0&telfaxmailweb_567=on&telfaxmailweb_567_validator=1&data_567=http%3A%2F%2Fwww.companyhacham.sitew.com<http://www.companyhacham.sitew.com/>%2F&type_567=4&idMktTelfaxmailweb_567=0&statut=1&remarque=
--c307bc39-F--
HTTP/1.1 403 Forbidden
Content-Length: 245
Connection: close
Content-Type: text/html; charset=iso-8859-1
Message: Access denied with code 403 (phase 2). Match of "beginsWith
%{request_headers.host}" against "TX:1" required. [file
"/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"]
[line "163"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion
(RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data:
http://www.companyhacham.sitew.com/ found within
TX:1:www.companyhacham.sitew.com/<http://www.companyhacham.sitew.com/>"]
[severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"]
[tag "OWASP_CRS/WEB_ATTACK/RFI"]
Barclaycard
www.barclaycardus.com<http://www.barclaycardus.com>
This email and any files transmitted with it may contain confidential and/or
proprietary information. It is intended solely for the use of the individual or
entity who is the intended recipient. Unauthorized use of this information is
prohibited. If you have received this in error, please contact the sender by
replying to this message and delete this material from any system it may be on.
--
Ilyass kaouam
Systems administrator at Inforisk Group Finaccess
European Masters in Information Technology
Portable : (212) 6 34 57 14 36
http://www.inforisk.ma
Barclaycard
www.barclaycardus.com<http://www.barclaycardus.com>
This email and any files transmitted with it may contain confidential and/or
proprietary information. It is intended solely for the use of the individual or
entity who is the intended recipient. Unauthorized use of this information is
prohibited. If you have received this in error, please contact the sender by
replying to this message and delete this material from any system it may be on.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
