I have a case where the rule is matching an occurrence of the word
"created" where it should only be looking for "create". I checked the regex
in an online tester and it doesn't match there. I'm certainly not a regex
expert, but I can't see why it's matching.
I've modified a number of of targets to work around other false positives,
but removing ARGS_NAMES or completely removing this rule seems like going
too far. This looks like a bug to me.
We're using the latest version from the repo as of 8/1/2016.
Hopefully this is all of the relevant data:
RULE:
SecRule
REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
"(?i:(?:[\d\W]\s+as\s*?[\"'`´’‘\w]+\s*?from)|(?:^[\W\d]+\s*?(?:union|select|create(?!d)|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create(?!d)|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:(?:group_)concat|char|load_file)\s?\(?)|(?:end\s*?\);)|([\"'`´’‘]\s+regexp\W)|(?:[\s(]load_file\s*?\())"
"phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects concatenated
basic SQL injection and SQLLFI
attempts',id:'981247',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched
Data: %{TX.0} found within %{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id
}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
REQUEST:
GET
/ipac20/ipac.jsp?session=1471026P1M44G.142111&profile=dial&uri=search=TL~!Happy%20Valley%20[DVD%20videorecording]%20/&term=Happy%20Valley%20[DVD%20videorecording]%20/%20a%20Red%20Productions%20Production%20for%20BBC%20;%20written%20&%20created%20by%20Sally%20Wainwright%20;%20producer,%20Karen%20Lewis%20;%20directed%20by%20Sally%20Wainwright,%20Euros%20Lyn,%20Tim%20Fywell.&aspect=subtab69&menu=search&source=~!greatriver
HTTP/1.1
MESSAGE:
Message: Access denied with code 403 (phase 2). [file
"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "243"] [id "981247"] [msg "Detects concatenated basic SQL injection
and SQLLFI attempts"] [data "Matched Data: create found within ARGS_NAMES:
created by Sally Wainwright ; producer, Karen Lewis ; directed by Sally
Wainwright, Euros Lyn, Tim Fywell.: created by Sally Wainwright ;
producer, Karen Lewis ; directed by Sally Wainwright, Euros Lyn, Tim
Fywell."] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
Apache-Error: [file "mod_access_compat.c"] [line 352] [level 3] AH01797:
client denied by server configuration: %s%s
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1471026250819223 222791 (- - -)
Stopwatch2: 1471026250819223 222791; combined=217815, p1=212777, p2=4925,
p3=0, p4=0, p5=112, sr=0, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/);
OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "ENABLED"
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
