News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

mod security conflict with cookies

Started by pixelpadre, October 10, 2020, 06:58:32 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

pixelpadre

October 10, 2020, 06:58:32 AM Last Edit: October 30, 2020, 12:52:44 AM by Diego Andrés
ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:SMFCookie517. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \\x22 found within REQUEST_COOKIES:SMFCookie517: a:4:{i:0;s:1:\\x221\\x22;i:1;s:40:\\x22ce80441d87c4ef4bfe573e0076a5f6fcaf993841\\x22;i:2;i:1791133315;i:3;i:0;}"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "cwpforum.com"] [uri "/favicon.ico"] [unique_id "X4GMIU7FLWXo0kd2hsavxwAAAMU"], referer:

modsec has to be turned off for my forum to work.

Aleksi "Lex" Kilpinen

#1
October 10, 2020, 07:02:15 AM
Not really a bug IMO, nor something SMF specific even.
https://wiki.simplemachines.org/smf/Mod_security_-_Having_problems_with_mod_security
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

#3
October 10, 2020, 03:20:20 PM
Your mod_security rules are non-standard and unnecessarily paranoid.

Quotes in the cookie are not inherently a security risk.

pixelpadre

#4
October 10, 2020, 06:52:49 PM
Quote from: Arantor on October 10, 2020, 03:20:20 PM
Your mod_security rules are non-standard and unnecessarily paranoid.

Quotes in the cookie are not inherently a security risk.

I agree.  But are the quotes essential in the smf cookies.   I know I can delete the mod sec rule to solve the problem.  But going down that road :D :D is like engaging in whack-a-mole.

Arantor

#5
October 10, 2020, 06:58:25 PM
They currently are in 2.0.

Rewriting that is... not trivial. I believe even though it's been rejigged in 2.1, quotes will still come up.

But again I point out, this is not a standard mod_security rule, this is one that has been added for unnecessary paranoia and should be removed *in any event* because it gives you absolutely no benefits, but a multitude of false positives.

pixelpadre

#6
October 10, 2020, 07:21:41 PM
981172 is now removed from mod sec rules
Print
Go Up Pages1
User actions
Advertisement: