[Owasp-modsecurity-core-rule-set] More Squirrelmail Denials

Arthur Dent misc.lists at blueyonder.co.uk
Wed Jan 6 04:57:03 EST 2010


Hello all,

Following a previous thread in which I described some denials related to
my squirrelmail web mail implementation (which were partially solved by
an upgrade to CRS 2.0.4) I still have some outstanding issues...

Firstly, accessing squirrelmail is fine, but trying to read an
individual email causes the following:

--501b5102-H--
Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "62"] [id "phpids-18"] [msg "Detects JavaScript array properties and methods"] [data "Matched Location: REQUEST_URI_RAW and Matched Payload: /mywm/src/right_main.php?pg_showall=0&sort=0&startmessage=1&mailbox=fd/flr"] [severity "CRITICAL"]
Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "293"] [id "phpids-1"] [msg "Detects JavaScript array properties and methods"] [data "Matched Location: REQUEST_URI_RAW and Matched Payload: /mywm/src/right_main.php?pg_showall=0&sort=0&startmessage=1&mailbox=fd/flr"] [severity "CRITICAL"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "46"] [msg "Transactional Anomaly Score (score 8): Detects JavaScript array properties and methods"]
Apache-Handler: php5-script
Stopwatch: 1261498951073512 929285 (5949 35341 892372)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core ruleset/2.0.4.
Server: Apache/2.2.13 (Fedora)

Secondly, attempting to add a new identity to my user within SM is
outright blocked and gives the following:

--f71bbe54-H--
Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "300"] [id "phpids-30"] [msg "Detects common XSS concatenation patterns 1/2"] [data "Matched Location: ARGS_NAMES:smaction[save][1] and Matched Payload: smaction[save][1]"] [severity "CRITICAL"]
Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "412"] [id "phpids-3"] [msg "Detects common XSS concatenation patterns 1/2"] [data "Matched Location: ARGS_NAMES:smaction[save][1] and Matched Payload: smaction[save][1]"] [severity "CRITICAL"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "46"] [msg "Transactional Anomaly Score (score 36): Detects common XSS concatenation patterns 1/2"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1262715119800440 148552 (17244* 143302 -)
Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core ruleset/2.0.4.
Server: Apache/2.2.13 (Fedora)

I notice that they are similar, but not identical.

What steps should I take to get this application working properly?

Thanks in advance for any help / guidance...

Mark
 




More information about the Owasp-modsecurity-core-rule-set mailing list