[Owasp-modsecurity-core-rule-set] FALSE POSITIVE

Ilyass Kaouam ilyassikai at gmail.com
Wed Jul 2 10:07:51 UTC 2014


 Hello,

Our website is a directory that is to say we always have users who insert
their data such as the URL of their website, télephonen, fax ...
during validation by our team I noticed that the mo_security to prohibit
the request because it contains URL: http://www.companyhacham.sitew.com/

Do you have a solution (secure) to allow url ?

Thank you

log:

codeAction=1&entid=395342&bilid=345129&idMkt=518&denomination=&capital=100+000+&activite=COMPANY+HACHAM+offre+des+produits+et+services+de+grande+qualit%C3%A9+dans+les+domaines+de+%3A+Menuiserie+Aluminium%2C+PVC%2C+Inox%2C+Vitrine+en+Verre%2C+Cloisons+aluminium%2C+Cuisine+Moderne+Sur+Mesure%2C+Tablier+en+lames+Micro+perfor%C3%A9es%2C+Habillage+de+Fa%C3%A7ade.+(ALUCOBOND)%2C+Faux+Plafonds%2C+Mur+Rideau%2C+Moustiquaire%2C+les+Stores%2C+Travaux+divers.&effectif=0&effectifCadre=0&segmentEffectif=1&dateContribution=06%2F08%2F13+14%3A32&loginUser=sgh5%
40hotmail.fr&emailUser=sgh5%40hotmail.fr
&id=518&denomination_validator=&rc_validator=&tribunal_validator=&fmj_validator=&capital_validator=&adresse_validator=&ville_validator=&activite_validator=&effectif_validator=&segmentEffectif_validator=&effectifCadre_validator=&telfaxmailweb_565=on&telfaxmailweb_565_validator=1&data_565=0618555477&type_565=1&idMktTelfaxmailweb_565=0&telfaxmailweb_566=on&telfaxmailweb_566_validator=1&data_566=companyhacham%
40gmail.com
&type_566=3&idMktTelfaxmailweb_566=0&telfaxmailweb_567=on&telfaxmailweb_567_validator=1&data_567=http%3A%2F%2F*www.companyhacham.sitew.com
<http://www.companyhacham.sitew.com/>%2F&type_567=4&i*
dMktTelfaxmailweb_567=0&statut=1&remarque=

--c307bc39-F--

HTTP/1.1 403 Forbidden

Content-Length: 245

Connection: close

Content-Type: text/html; charset=iso-8859-1


Message: Access denied with code 403 (phase 2). Match of "beginsWith
%{request_headers.host}" against "TX:1" required. [file
"/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"]
[line "163"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion
(RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data:
http://www.companyhacham.sitew.com/ found within TX:1:
www.companyhacham.sitew.com/"] [severity "CRITICAL"] [ver
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag
"OWASP_CRS/WEB_ATTACK/RFI"]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20140702/216c0b65/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list