Jump to content

mod security issues


lostaussie

Recommended Posts

I run two boards on two different hosts, one has mod security enabled and works fine, the other is on a self managed VPS and if I have mod security enabled there all I get is Too many redirects errors.

Does anyone know what mod security rules to change to allow use of this on the VPS.

Link to comment
Share on other sites

OK

I worked out what rule was causing the problem and disabled it. I have no idea if it's a bad thing to do or not but by disabling it fixed the issue. This is the rule below? 

 

OWASP 981243 Detects classic SQL injection probings 2/2
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`]\d)|(?:\^[\"'`])|(?:^[\w\s\"'`-]+(?<;=and\s)(?<;=or|xor|div|like|between|and\s)(?<;=xor\s)(?<;=nand\s)(?<;=not\s)(?<;=\|\|)(?<;=\&;\&;)\w+\()|(?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])|(?:[\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`])|(?:[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`].*?\*\s*?\d)|(?:[\"'`]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<;>;%+-][\w-]+[^\w\s]+[\"'`][^,]))" "phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'8', capture, t:none,t:urlDecodeUni, block, msg:'Detects classic SQL injection probings 2/2', id:'981243', tag:'application-multi', tag:'language-mutli', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', severity:'CRITICAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Link to comment
Share on other sites

2 hours ago, lostaussie said:

OK

 I have no idea if it's a bad thing to do or not but by disabling it fixed the issue. 

 

OWASP 981243 Detects classic SQL injection probings 2/2
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`]\d)|(?:\^[\"'`])|(?:^[\w\s\"'`-]+(?<;=and\s)(?<;=or|xor|div|like|between|and\s)(?<;=xor\s)(?<;=nand\s)(?<;=not\s)(?<;=\|\|)(?<;=\&;\&;)\w+\()|(?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])|(?:[\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`])|(?:[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`].*?\*\s*?\d)|(?:[\"'`]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<;>;%+-][\w-]+[^\w\s]+[\"'`][^,]))" "phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'8', capture, t:none,t:urlDecodeUni, block, msg:'Detects classic SQL injection probings 2/2', id:'981243', tag:'application-multi', tag:'language-mutli', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', severity:'CRITICAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"

Yes, that's what I do. I disabled the ones causing me issues. 

Link to comment
Share on other sites

6 minutes ago, lostaussie said:

I probably should have said I hope it is not a bad thing to disable as I have about 20 wordpress sites on the same server. :unsure:

For wordpress I use wordfence, a firewall. It includes sql injection protection and more. I use the free version.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...