Hello Ken, Classical False Positive.
You have your audit log parts configured to include only the I part. I think the uploaded filename in question is http://localhost:63391/d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f122032b.jpg?size=1024 But could you please show us the C part - or dump the full traffic, we this becomes visible. And then, would you please open an issue on github for this? Cheers, Christian On Sun, Sep 04, 2016 at 08:26:37AM -0700, Ken Brucker wrote: > Playing with OWASP CRS v3.0 and have a false positive on rule 920120. > > The application is Picasa (no longer available from Google). During file > uploads it produces the failing pattern when communicating with the target > website. I have no control over the application end of this and there's no > hope for a fix from Google since they have dropped the product. It does still > work however so I continue to use it. > > I'm disabling this rule for this user agent using: > > SecRule REQUEST_HEADERS:User-Agent "@beginsWith Picasa/3." > "id:1010,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=920120" > > > Here's the entry from the audit log: > > --93ede52c-A-- > [04/Sep/2016:07:57:20 --0700] V8w2UH8AAAEAADHQvy0AAABV 192.168.56.1 64619 > 192.16 > 8.56.101 80 > --93ede52c-B-- > POST /picasa_album_uploader/upload HTTP/1.1 > Host: wpdev.local > Accept: */* > Accept-Encoding: gzip > Content-Length: 117779 > Content-Type: multipart/form-data; > boundary=---------------------------98E77E01B > 348 > Cookie: > wordpress_logged_in_bdc5a801bed99bd8e2693412031c90e0=thor%7C1473173832%7 > COzgZxmia5N6cIlq8cByzDuXNOUtUG8ksqAsyHg12XMA%7Cd70c349c19dfc0274e629711840a30937 > a640e3c6f07362d76dab9bac3b58e68; wordpress_test_cookie=WP+Cookie+check > Connection: keep-alive > User-Agent: Picasa/3.9.141.306 (gzip) > > --93ede52c-I-- > picasa%2dalbum%2duploader%2dupload%2dimages=48fd37703c&%5fwp%5fhttp%5freferer=%2 > fpicasa%5falbum%5fuploader%2fminibrowser&size=on&title%5b%5d=IMG%5f5306%2eJPG&ca > ption%5b%5d=&description%5b%5d= > --93ede52c-F-- > HTTP/1.1 403 Forbidden > Content-Length: 237 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --93ede52c-E-- > > --93ede52c-H-- > Message: Warning. Pattern match "['\";=]" at > FILES_NAMES:http://localhost:63391/ > d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f122032b.jpg?size=1024. [file > "/v > agrant/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > [line > "108"] [id "920120"] [rev "1"] [msg "Attempted multipart/form-data bypass"] > [da > ta > "http://localhost:63391/d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f12203 > 2b.jpg?size=1024"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity > "9"] > [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag > "platform-m > ulti"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] > [tag "CAPEC-272"] > Message: Access denied with code 403 (phase 2). Operator GE matched 5 at > TX:anom > aly_score. [file > "/vagrant/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVAL > UATION.conf"] [line "53"] [id "949110"] [msg "Inbound Anomaly Score Exceeded > (To > tal Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag > "language-m > ulti"] [tag "platform-multi"] [tag "attack-generic"] > Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file > "/vag > rant/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] > [id > "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - > SQLI=0 > ,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Attempted multipart/form-data > by > pass"] [tag "event-correlation"] > Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] > ModSecuri > ty: %s%s [uri "%s"]%s > Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] > ModSecuri > ty: %s%s [uri "%s"]%s > Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] > ModSecuri > ty: %s%s [uri "%s"]%s > Action: Intercepted (phase 2) > Stopwatch: 1473001040658089 39084 (- - -) > Stopwatch2: 1473001040658089 39084; combined=2811, p1=201, p2=2420, p3=0, > p4=0, > p5=189, sr=27, sw=1, l=0, gc=0 > Response-Body-Transformed: Dechunked > Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); > OWASP_CRS/ > 3.0.0. > Server: Apache/2.4.23 (Ubuntu) > Engine-Mode: "ENABLED" > > --93ede52c-J-- > 4,116587,"IMG_5306.JPG","<Unknown ContentType>" > Total,116587 > > --93ede52c-Z-- > > -- Ken > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
