[Owasp-modsecurity-core-rule-set] More Squirrelmail Denials

Arthur Dent misc.lists at blueyonder.co.uk
Mon Jan 11 17:22:21 EST 2010


On Wed, 2010-01-06 at 09:57 +0000, Arthur Dent wrote:
> Hello all,
> 
> Following a previous thread in which I described some denials related to
> my squirrelmail web mail implementation (which were partially solved by
> an upgrade to CRS 2.0.4) I still have some outstanding issues...
> 
> Firstly, accessing squirrelmail is fine, but trying to read an
> individual email causes the following:
> 
> --501b5102-H--
> Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "62"] [id "phpids-18"] [msg "Detects JavaScript array properties and methods"] [data "Matched Location: REQUEST_URI_RAW and Matched Payload: /mywm/src/right_main.php?pg_showall=0&sort=0&startmessage=1&mailbox=fd/flr"] [severity "CRITICAL"]
> Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "293"] [id "phpids-1"] [msg "Detects JavaScript array properties and methods"] [data "Matched Location: REQUEST_URI_RAW and Matched Payload: /mywm/src/right_main.php?pg_showall=0&sort=0&startmessage=1&mailbox=fd/flr"] [severity "CRITICAL"]
> Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "46"] [msg "Transactional Anomaly Score (score 8): Detects JavaScript array properties and methods"]
> Apache-Handler: php5-script
> Stopwatch: 1261498951073512 929285 (5949 35341 892372)
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core ruleset/2.0.4.
> Server: Apache/2.2.13 (Fedora)
> 
> Secondly, attempting to add a new identity to my user within SM is
> outright blocked and gives the following:
> 
> --f71bbe54-H--
> Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "300"] [id "phpids-30"] [msg "Detects common XSS concatenation patterns 1/2"] [data "Matched Location: ARGS_NAMES:smaction[save][1] and Matched Payload: smaction[save][1]"] [severity "CRITICAL"]
> Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "412"] [id "phpids-3"] [msg "Detects common XSS concatenation patterns 1/2"] [data "Matched Location: ARGS_NAMES:smaction[save][1] and Matched Payload: smaction[save][1]"] [severity "CRITICAL"]
> Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "46"] [msg "Transactional Anomaly Score (score 36): Detects common XSS concatenation patterns 1/2"]
> Action: Intercepted (phase 2)
> Apache-Handler: php5-script
> Stopwatch: 1262715119800440 148552 (17244* 143302 -)
> Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core ruleset/2.0.4.
> Server: Apache/2.2.13 (Fedora)
> 
> I notice that they are similar, but not identical.
> 
> What steps should I take to get this application working properly?
> 
> Thanks in advance for any help / guidance...
> 
> Mark

I am still no nearer solving this. Any ideas? (gentle bump!)

Mark





More information about the Owasp-modsecurity-core-rule-set mailing list