mod_security and SQL injection (false positive?)

upsforum

Well-Known Member
Jul 27, 2005
473
0
166
I have a problem with mod_security on a virtualhost, this is logs and config row

log error 406

ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "98"] [id "959901"] [msg "SQL Injection Attack"] [data "7=7"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "www. domain .it"] [uri "/"] [unique_id "[email protected]@YAAF2GJd8AAAAL"]

and this is row of config file of mod_security

"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class" \



I think that this is false positive or I have a problem on the script

thank you
Alessio
 

upsforum

Well-Known Member
Jul 27, 2005
473
0
166
I think that problem is cookies, if I clear all cookie the problem solved, these are cookie

__atuvc=42%7C2
dc_jqaccordion_widget-7=7%2C10
PHPSESSID=aa5c4c6a769247f16e4dab3daa426fa8