Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

mod_security and SQL injection (false positive?)

Discussion in 'Security' started by upsforum, Jan 11, 2013.

  1. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    470
    Likes Received:
    0
    Trophy Points:
    166
    I have a problem with mod_security on a virtualhost, this is logs and config row

    log error 406

    ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "98"] [id "959901"] [msg "SQL Injection Attack"] [data "7=7"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "www. domain .it"] [uri "/"] [unique_id "UO-kTE@Pu@YAAF2GJd8AAAAL"]

    and this is row of config file of mod_security

    "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
    SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class" \



    I think that this is false positive or I have a problem on the script

    thank you
    Alessio
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    470
    Likes Received:
    0
    Trophy Points:
    166
    I think that problem is cookies, if I clear all cookie the problem solved, these are cookie

    __atuvc=42%7C2
    dc_jqaccordion_widget-7=7%2C10
    PHPSESSID=aa5c4c6a769247f16e4dab3daa426fa8
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice