The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security and SQL injection (false positive?)

Discussion in 'Security' started by upsforum, Jan 11, 2013.

  1. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    I have a problem with mod_security on a virtualhost, this is logs and config row

    log error 406

    ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "98"] [id "959901"] [msg "SQL Injection Attack"] [data "7=7"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "www. domain .it"] [uri "/"] [unique_id "UO-kTE@Pu@YAAF2GJd8AAAAL"]

    and this is row of config file of mod_security

    "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
    SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class" \



    I think that this is false positive or I have a problem on the script

    thank you
    Alessio
     
  2. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    I think that problem is cookies, if I clear all cookie the problem solved, these are cookie

    __atuvc=42%7C2
    dc_jqaccordion_widget-7=7%2C10
    PHPSESSID=aa5c4c6a769247f16e4dab3daa426fa8
     
Loading...

Share This Page