[Owasp-modsecurity-core-rule-set] modsecurity - trouble with SecRequestBodyAccess

kazik kazik at agape.org.pl
Fri Jul 3 08:25:01 UTC 2015


helo,

Server - Ubuntu 14 LTS | Apache/2.4.7 | modsecurity 2.7.7-2

I was enabled modsecurity in DetectionPnly mode - default configuration from Ubuntu.

On our server we have a few site, CMS (Joomla, wordpress) and own CMS.
All of them work with WYSWIG editors.

When I set SecRequestBodyAccess On and try update or create article,
there is a lot of errors, especially SQL-injecttion and XSS.

But I only update article, its no a crime :)

Look like modsecurity treats all html tags like SQL or XSS attack,
is there any special module for that or parser?

HELP ME, PLEASE :)

tom kazm

example of logs from apache2 errors



[Fri Jul 03 10:14:05.628018 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\(.*?\\\\))" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "506"] [id "973335"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0) found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz si\\xc4\\x99 za granic\\xc4\\x99?..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname „XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.628575 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'].*?\\\\)[ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?\\\\()" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "508"] [id "973334"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb( found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a href=\\x22http://www.emigr..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.628689 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Rule 7f036a3bc248 [id "973334"][file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "508"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "milujciesie.org.pl"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.629212 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within ARGS:art_lid: <p> </p> <table class=\\x22contentpaneopen\\x22> <tbody> <tr> <td valign=\\x22top\\x22> <h5 style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span st..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.629414 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[\\"\\\\'][ ]*(([^a-z0-9~_:\\\\' ])|(in)).+?[.].+?=)" at ARGS:art_text. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "510"] [id "973333"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data: \\x22><a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option= found within ARGS:art_text: <p><span style=\\x22color: rgb(128,0,0)\\x22><a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><img align=\\x22left\\x22 alt=\\x22\\x22 src=\\x22https://milujciesie.org.pl/upload/articles/r_u_c_k_i/PL/logo_IDE.png\\x22 /></a>Na stronie <a href=\\x22http://www.emigracja.chrystusowcy.pl/\\x22 target=\\x22_blank\\x22>Instytutu Duszpasterstwa Emig..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
[Fri Jul 03 10:14:05.631654 2015] [:error] [pid 28133:tid 139652430276352] [client 192.168.20.129] ModSecurity: Warning. Pattern match "(?i:[ /+\\\\t\\"\\\\'`]style[ /+\\\\t]*?=.*([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))" at ARGS:art_lid. [file "/etc/modsecurity/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf"] [line "520"] [id "973316"] [rev "2"] [msg "IE XSS Filters - Attack Detected."] [data "Matched Data:  style=\\x22text-align: center\\x22><span style=\\x22color: rgb(128,0,0)\\x22><a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22><span style=\\x22color: rgb(128,0,0)\\x22>Wybierasz si\\xc4\\x99 za granic\\xc4\\x99?</span></a></span><br /> <a href=\\x22http://www.emigracja.chrystusowcy.pl/index.php?option=com_sobi2&Itemid=74\\x22 target=\\x22_blank\\x22>Szukasz Mszy \\xc5\\x9awi\\xc4\\x99tej w j\\xc4\\x99zyku polskim? <span style=\\x22color: rgb( found..."] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag [hostname "XXXXXXXXXXXXX"] [uri "/admin/index.php"] [unique_id "VZZETQoKASsAAG3lzAAAAADL"]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150703/84d3caf8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150703/84d3caf8/attachment.pgp>


More information about the Owasp-modsecurity-core-rule-set mailing list