[Owasp-modsecurity-core-rule-set] More Squirrelmail Denials

Arthur Dent misc.lists at blueyonder.co.uk
Wed Jan 13 07:10:55 EST 2010


On Mon, 2010-01-11 at 22:22 +0000, Arthur Dent wrote:
> On Wed, 2010-01-06 at 09:57 +0000, Arthur Dent wrote:
> > Hello all,
> > 
> > Following a previous thread in which I described some denials related to
> > my squirrelmail web mail implementation (which were partially solved by
> > an upgrade to CRS 2.0.4) I still have some outstanding issues...
> > 
> > Firstly, accessing squirrelmail is fine, but trying to read an
> > individual email causes the following:
> > 
> > --501b5102-H--
> > Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "62"] [id "phpids-18"] [msg "Detects JavaScript array properties and methods"] [data "Matched Location: REQUEST_URI_RAW and Matched Payload: /mywm/src/right_main.php?pg_showall=0&sort=0&startmessage=1&mailbox=fd/flr"] [severity "CRITICAL"]
> > Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "293"] [id "phpids-1"] [msg "Detects JavaScript array properties and methods"] [data "Matched Location: REQUEST_URI_RAW and Matched Payload: /mywm/src/right_main.php?pg_showall=0&sort=0&startmessage=1&mailbox=fd/flr"] [severity "CRITICAL"]
> > Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "46"] [msg "Transactional Anomaly Score (score 8): Detects JavaScript array properties and methods"]
> > Apache-Handler: php5-script
> > Stopwatch: 1261498951073512 929285 (5949 35341 892372)
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core ruleset/2.0.4.
> > Server: Apache/2.2.13 (Fedora)
> > 
> > Secondly, attempting to add a new identity to my user within SM is
> > outright blocked and gives the following:
> > 
> > --f71bbe54-H--
> > Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "300"] [id "phpids-30"] [msg "Detects common XSS concatenation patterns 1/2"] [data "Matched Location: ARGS_NAMES:smaction[save][1] and Matched Payload: smaction[save][1]"] [severity "CRITICAL"]
> > Message: Pattern match "^TX:phpids-(\d{1,2})-WEB_ATTACK/INJECTION-(\d)-(.*?)-(.*)$" at MATCHED_VAR_NAME. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "412"] [id "phpids-3"] [msg "Detects common XSS concatenation patterns 1/2"] [data "Matched Location: ARGS_NAMES:smaction[save][1] and Matched Payload: smaction[save][1]"] [severity "CRITICAL"]
> > Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "46"] [msg "Transactional Anomaly Score (score 36): Detects common XSS concatenation patterns 1/2"]
> > Action: Intercepted (phase 2)
> > Apache-Handler: php5-script
> > Stopwatch: 1262715119800440 148552 (17244* 143302 -)
> > Producer: ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/); core ruleset/2.0.4.
> > Server: Apache/2.2.13 (Fedora)
> > 
> > I notice that they are similar, but not identical.
> > 
> > What steps should I take to get this application working properly?
> > 
> > Thanks in advance for any help / guidance...
> > 
> > Mark
> 
> I am still no nearer solving this. Any ideas? (gentle bump!)
> 
> Mark

Am I asking this question in the wrong way, or have I not provided
sufficient information?

Hoping for some guidance...

Mark





More information about the Owasp-modsecurity-core-rule-set mailing list