Hello Ed, This looks a lot like Issue 794. https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/794
We think it is an issue in ModSecurity (and not with libinjection as the rule ID suggests). Could you create a full debug log of the false positive and attach it with 794 like I did for the known bad payloads there? As for your problem at hand, I suspect you need to disable the rule at least temporarily. You know how to do that, don't you. Ahoj, Christian On Thu, Jun 08, 2017 at 12:02:10PM -0400, Ed Greenberg wrote: > Full log is in https://pastebin.com/SW4rQ0ZS > > The failure is 942100. It fired on this: [data "Matched Data: 1)o1 found > within ARGS:Phone: (800)-252-8014"] > > Of course, that Matched Data doesn't match what is the Phone field. > > I've seen a few of these before, but most of them have people's private > phone numbers, that I could not post, but this number is from an > institution, and I don't have any problem posting it. I xxxx'ed out the > person's name in the pasted report, but that's it. > > Any help with this appreciated. It fires pretty frequently on some of our > forms. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
