apache / mod_security: fixing false positive 950013
Hello this is my first post and I know that I can't ask for anything urgently hehe, but any help is really really appreciated.
I got a client with the following error: Code:
[Wed Apr 30 12:30:30 2008] [error] [client 189.177.38.64] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:(?:\\\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\\\\$_(?:(?:pos|ge)t|session))\\\\b|<\\\\?(?!xml))" at ARGS:edit[introduction]. [id "950013"] [msg "PHP Injection Attack. Matched signature <<?>"] [severity "CRITICAL"] [hostname "www.mydomain.com"] [uri "/node/131/edit"] [unique_id "gVR4Qn8AAAEAABqgancAAABd"] Code:
<LocationMatch "/node/131/edit"> I've restarted the application server and nothing, I keep getting the same error... Please any help is appreciated here I forgot to mention that the "Introduction" field has this info at the moment of editing Code:
<img class="article-left" src="<?php print url_resource("someimage.jpg"); ?>" /> Fryzer |
Welcome to LQ. hope you like it here. I haven't flexed my Mod_security rule-foo for a long time nor have I kept up with the docs. I think this should be a good start: http://www.modsecurity.org/blog/arch...ng_false.html: with respect to ttroubleshooting FPs and using a "modsecurity_crs_60_custom_rules.conf" properly. For altering the new version of the rule I think you should look at variable exclusion using ARGS (as in "!ARGS:somecontentfieldname"): http://www.modsecurity.org/documenta...es.html#N10BBB). HTH
|
Thanks for the reply and the links, I've tried altering the vhost rule instead of the global original rule sets and I've tried the variable exclusion solution too, I didn't post them since I thought that a good start to try to solve the problem would be the first approach and I am stuck there, I know the problem (the 950013 rule is begin triggered by the line of PHP code on the "Introduction" field at the moment of editing and posting), I know that is always a bad practice to do that in a Data base driven application environment and I don't actually know if is like recommended to fix the problem since the user can get used to that and continue making pages with that behavior.
But at the time being I am trying to find a solution just in case and later I'll see if I implement it or suggest the client to change that bad coding habit. Anyway... any other tip is greatly appreciated! Fryzer |
ModSecurity -> dotDefender
Hi Fryzer,
We've got the same problem with modsecurity as you described. I would suggest you will download the dotDefender from www.applicure.com We installed the dotDefender on 8 of our servers and its working smoothly. They have great support for the product as well. Good Luck, Jerry. |
Quote:
|
Quote:
Let's see but for the time being as I said thanks for the suggestion but I'd be a little bit more interested in an Open Source solution or simply a way to work this thing around! Thanks! Fryzer |
All times are GMT -5. The time now is 07:14 AM. |