apache / mod_security: fixing false positive 950013
 

Hello this is my first post and I know that I can't ask for anything urgently hehe, but any help is really really appreciated.

I got a client with the following error:

I've already created a modsecurity_crs_60_custom_rules.conf with


I've restarted the application server and nothing, I keep getting the same error... Please any help is appreciated here

I forgot to mention that the "Introduction" field has this info at the moment of editing

Thanks!
Fryzer

Welcome to LQ. hope you like it here. I haven't flexed my Mod_security rule-foo for a long time nor have I kept up with the docs. I think this should be a good start: http://www.modsecurity.org/blog/arch...ng_false.html: with respect to ttroubleshooting FPs and using a "modsecurity_crs_60_custom_rules.conf" properly. For altering the new version of the rule I think you should look at variable exclusion using ARGS (as in "!ARGS:somecontentfieldname"): http://www.modsecurity.org/documenta...es.html#N10BBB). HTH

Thanks for the reply and the links, I've tried altering the vhost rule instead of the global original rule sets and I've tried the variable exclusion solution too, I didn't post them since I thought that a good start to try to solve the problem would be the first approach and I am stuck there, I know the problem (the 950013 rule is begin triggered by the line of PHP code on the "Introduction" field at the moment of editing and posting), I know that is always a bad practice to do that in a Data base driven application environment and I don't actually know if is like recommended to fix the problem since the user can get used to that and continue making pages with that behavior.

But at the time being I am trying to find a solution just in case and later I'll see if I implement it or suggest the client to change that bad coding habit.

Anyway... any other tip is greatly appreciated!
Fryzer

ModSecurity -> dotDefender
 

Hi Fryzer,

We've got the same problem with modsecurity as you described.
I would suggest you will download the dotDefender from www.applicure.com
We installed the dotDefender on 8 of our servers and its working smoothly.
They have great support for the product as well.

Good Luck,
Jerry.

The product you suggested is commercial and proprietary, not OSS. While that may not be prohibitive, it can only be tested for 30 days and then costs USD 4K for the first two licenses. While I can't assess his situation (and this shouldn't be construed as me speaking for him) I can't see why his problem with just one rule would warrant moving over to the commercial product you suggested, unless (with all due respect) you have an interest in the product. Else maybe you could provide an objective qualitative (non-marketoid) comparison this product is undisputably superior compared to any other in the field? Just interested, OK?

Thanks for the suggestion, I'm going to look into it but to be honest we probably won't be going that way since this is something we are trying to fix for one of our customers, and based on the fact that passing code through a database filed in a dynamic form is already a bad habit we wouldn't like to encourage the user to keep doing it.

Let's see but for the time being as I said thanks for the suggestion but I'd be a little bit more interested in an Open Source solution or simply a way to work this thing around!

Thanks!
Fryzer