Hi Christian, Here's a redacted version that includes the C bit minus the content of the jpg file itself. I've added this to a github issue.
-- Ken --0c41777f-A-- [05/Sep/2016:06:56:20 --0700] V815hH8AAAEAAFYB3d0AAABQ 192.168.56.1 62686 192.16 8.56.101 80 --0c41777f-B-- POST /picasa_album_uploader/upload HTTP/1.1 Host: wpdev.local Accept: */* Accept-Encoding: gzip Content-Length: 134956 Content-Type: multipart/form-data; boundary=---------------------------482C81C09 614 Cookie: wordpress_logged_in_bdc5a801bed99bd8e2693412031c90e0=thor%7C1473256578%7 CqBvxoWnF7B59roUjZK1ypaRxJ6uqqhXJoKkgE1bUfGQ%7C0d1f9bd3868cf2a2df1330248d35e3689 623535f486e66910a9700ae4c2c16dd; wordpress_test_cookie=WP+Cookie+check Connection: keep-alive User-Agent: Picasa/3.9.141.306 (gzip) --0c41777f-C-- -----------------------------482C81C09614 Content-Disposition: form-data; name="picasa-album-uploader-upload-images" Content-Type: text/plain; charset=utf-8 0349e21fed -----------------------------482C81C09614 Content-Disposition: form-data; name="_wp_http_referer" Content-Type: text/plain; charset=utf-8 /picasa_album_uploader/minibrowser -----------------------------482C81C09614 Content-Disposition: form-data; name="size" Content-Type: text/plain; charset=utf-8 on -----------------------------482C81C09614 Content-Disposition: form-data; name="http://localhost:62667/2d1afc4dac01219e865 92ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024"; filename="IMG_6822.JPG" Content-Type: image/jpeg [ Redacted ] -----------------------------482C81C09614 Content-Disposition: form-data; name="title[]" Content-Type: text/plain; charset=utf-8 IMG_6822.JPG -----------------------------482C81C09614 Content-Disposition: form-data; name="caption[]" Content-Type: text/plain; charset=utf-8 -----------------------------482C81C09614 Content-Disposition: form-data; name="description[]" Content-Type: text/plain; charset=utf-8 Deer in Austin -----------------------------482C81C09614-- --0c41777f-F-- HTTP/1.1 403 Forbidden Content-Length: 237 Connection: close Content-Type: text/html; charset=iso-8859-1 --0c41777f-H-- Message: Warning. Pattern match "['\";=]" at FILES_NAMES:http://localhost:62667/ 2d1afc4dac01219e86592ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024. [file "/vagrant/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "108"] [id "920120"] [rev "1"] [msg "Attempted multipart/form-data bypass"] [data "http://localhost:62667/2d1afc4dac01219e86592ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024";] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/vagrant/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "53"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/vagrant/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Attempted multipart/form-data bypass"] [tag "event-correlation"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s Action: Intercepted (phase 2) Stopwatch: 1473083780329702 6475 (- - -) Stopwatch2: 1473083780329702 6475; combined=2451, p1=208, p2=2078, p3=0, p4=0, p5=164, sr=26, sw=1, l=0, gc=0 Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0. Server: Apache/2.4.23 (Ubuntu) Engine-Mode: "ENABLED" --0c41777f-J-- 4,133750,"IMG_6822.JPG","<Unknown ContentType>" Total,133750 --0c41777f-Z-- > On Sep 5, 2016, at 4:09 AM, Christian Folini <christian.fol...@netnea.com> > wrote: > > Hello Ken, > > Classical False Positive. > > You have your audit log parts configured to include only the I part. > I think the uploaded filename in question is > http://localhost:63391/d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f122032b.jpg?size=1024 > > But could you please show us the C part - or dump the full traffic, > we this becomes visible. > > And then, would you please open an issue on github for this? > > Cheers, > > Christian > > On Sun, Sep 04, 2016 at 08:26:37AM -0700, Ken Brucker wrote: >> Playing with OWASP CRS v3.0 and have a false positive on rule 920120. >> >> The application is Picasa (no longer available from Google). During file >> uploads it produces the failing pattern when communicating with the target >> website. I have no control over the application end of this and there's no >> hope for a fix from Google since they have dropped the product. It does >> still work however so I continue to use it. >> >> I'm disabling this rule for this user agent using: >> >> SecRule REQUEST_HEADERS:User-Agent "@beginsWith Picasa/3." >> "id:1010,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=920120" >> >> >> Here's the entry from the audit log: >> >> --93ede52c-A-- >> [04/Sep/2016:07:57:20 --0700] V8w2UH8AAAEAADHQvy0AAABV 192.168.56.1 64619 >> 192.16 >> 8.56.101 80 >> --93ede52c-B-- >> POST /picasa_album_uploader/upload HTTP/1.1 >> Host: wpdev.local >> Accept: */* >> Accept-Encoding: gzip >> Content-Length: 117779 >> Content-Type: multipart/form-data; >> boundary=---------------------------98E77E01B >> 348 >> Cookie: >> wordpress_logged_in_bdc5a801bed99bd8e2693412031c90e0=thor%7C1473173832%7 >> COzgZxmia5N6cIlq8cByzDuXNOUtUG8ksqAsyHg12XMA%7Cd70c349c19dfc0274e629711840a30937 >> a640e3c6f07362d76dab9bac3b58e68; wordpress_test_cookie=WP+Cookie+check >> Connection: keep-alive >> User-Agent: Picasa/3.9.141.306 (gzip) >> >> --93ede52c-I-- >> picasa%2dalbum%2duploader%2dupload%2dimages=48fd37703c&%5fwp%5fhttp%5freferer=%2 >> fpicasa%5falbum%5fuploader%2fminibrowser&size=on&title%5b%5d=IMG%5f5306%2eJPG&ca >> ption%5b%5d=&description%5b%5d= >> --93ede52c-F-- >> HTTP/1.1 403 Forbidden >> Content-Length: 237 >> Connection: close >> Content-Type: text/html; charset=iso-8859-1 >> >> --93ede52c-E-- >> >> --93ede52c-H-- >> Message: Warning. Pattern match "['\";=]" at >> FILES_NAMES:http://localhost:63391/ >> d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f122032b.jpg?size=1024. [file >> "/v >> agrant/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] >> [line >> "108"] [id "920120"] [rev "1"] [msg "Attempted multipart/form-data bypass"] >> [da >> ta >> "http://localhost:63391/d8edaf7f8a66068039906ecb9d04c451/image/7c2c6d05f12203 >> 2b.jpg?size=1024"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity >> "9"] >> [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag >> "platform-m >> ulti"] [tag "attack-protocol"] [tag >> "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] >> [tag "CAPEC-272"] >> Message: Access denied with code 403 (phase 2). Operator GE matched 5 at >> TX:anom >> aly_score. [file >> "/vagrant/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVAL >> UATION.conf"] [line "53"] [id "949110"] [msg "Inbound Anomaly Score Exceeded >> (To >> tal Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag >> "language-m >> ulti"] [tag "platform-multi"] [tag "attack-generic"] >> Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file >> "/vag >> rant/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] >> [id >> "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - >> SQLI=0 >> ,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Attempted >> multipart/form-data by >> pass"] [tag "event-correlation"] >> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] >> ModSecuri >> ty: %s%s [uri "%s"]%s >> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] >> ModSecuri >> ty: %s%s [uri "%s"]%s >> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] >> ModSecuri >> ty: %s%s [uri "%s"]%s >> Action: Intercepted (phase 2) >> Stopwatch: 1473001040658089 39084 (- - -) >> Stopwatch2: 1473001040658089 39084; combined=2811, p1=201, p2=2420, p3=0, >> p4=0, >> p5=189, sr=27, sw=1, l=0, gc=0 >> Response-Body-Transformed: Dechunked >> Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); >> OWASP_CRS/ >> 3.0.0. >> Server: Apache/2.4.23 (Ubuntu) >> Engine-Mode: "ENABLED" >> >> --93ede52c-J-- >> 4,116587,"IMG_5306.JPG","<Unknown ContentType>" >> Total,116587 >> >> --93ede52c-Z-- >> >> -- Ken > >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > mailto:christian.fol...@netnea.com > twitter: @ChrFolini
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
![http://localhost:62667/2d1afc4dac01219e86592ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024"](http://localhost:62667/2d1afc4dac01219e86592ecb3f4a9d8e/image/2fa2bc77befd46db.jpg?size=1024"){kind=link}
