Subject: Re: Trouble with phpMyAdmin and mod_sec (gettingcaught in phase:1)
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2007-06-03 23:49:09 GMT (1 year, 31 weeks, 1 day, 4 hours and 7 minutes ago)
Rule ID 950107 has been generating a fair amount of False Positive hits due to the way that various app are using encoded % signs (%25). In your example phpMyAdmin request string, it is passing SQL queries on the URL line and is using %25 characters. We will need to re-examine this rule to see if there are any ways to improve the RegEx. With that being said, the issue you are running into has to do with Rule ID 950107 running in phase 1 and you are attempting to utilize Apache scope directives (Vhost, Directory, etc...) to disable Mod. This will not work as all Apache scope directives are not available until phase 2. So, if you want to disable Mod for a specific URL, you need to use the same rule you had below - SecRule REQUEST_FILENAME "^/phpmyadmin" \ "allow,phase:1,nolog,ctl:ruleEngine=Off" However, you need to call this rule up BEFORE the other Core Rules files (which has Rule ID 950107). Please see my Blog post on creating custom rules and handling false positives - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache > -----Original Message----- > From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod- > security-users-bounces <at> lists.sourceforge.net] On Behalf Of hanj > Sent: Sunday, June 03, 2007 2:47 PM > To: Mod Security > Subject: [mod-security-users] Trouble with phpMyAdmin and mod_sec > (gettingcaught in phase:1) > > Hello > > I'm having trouble the excluding phpMyAdmin from mod_sec. > > I've added the SecRuleInheritance Off and SecRuleEngine Off in the > Directory area of my VirtualHost. This seems to apply to phase:2, but > not phase:1. I'm getting a 400 status when I try to edit a record. > > I also tried the SecRule REQUEST_FILENAME and allowing phase:1, but I > continue to get the 400 status. > > Here is my modsec_audit.log and below that is a view of my apache > config for that directory. Any suggestions are greatly appreciated. > > > --816a6d09-A-- > [03/Jun/2007:12:37:24 --0600] vVBTC0LbO5UAAD46MaoAAAAA xxx.xxx.xxx.xxx > 1359 xxx.xxx.xxx.xxx 443 --816a6d09-B-- > GET > /phpmyadmin/tbl_change.php?db=mydb&table=data&token=323cf89f3969db1b855a 15 > 9b9b250bc3&pos=0&session_max_rows=30&disp_direction=horiz > ontal&repeat_cells=100&dontlimitchars=0&primary_key=+%60data%60.%60DataI D% > 60+%3D+702&sql_query=SELECT+%2A+FROM+%60data%60+WHERE+LastName+LIKE+%27% 25 > doe%25%27&goto=sql.php > HTTP/1.1 Host: my.host.com > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; > rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12 Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n; > q=0.8,image/png,*/*;q=0.5 > Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://my.host.com/phpmyadmin/import.php > Cookie: pmaCookieVer=4; pma_collation_connection=utf8_unicode_ci; > pma_charset=iso-8859-1; pma_lang=en-utf-8; > phpMyAdmin=59f2e047d2c961ff55c85c430aa37934; pma_theme=original; > __utma=219305993.412737841.1170700683.1180815267.1180895728.39; > __utmz=219305993.1176754457.20.6.utmccn=(organic)|utmcsr=google|utmctr > =kylegraybeal.com|utmcmd=organic; __utmc=219305993; > highlightedTreeviewLinkt2=2; clickedFoldert2=1%5E; > PHPSESSID=c81a24712fd95b0067fcdb270cfe710b; SQMSESS > ID=7307a2897ae03f8c480d0282836c3bd9; __utmb=219305993 Authorization: > Basic xxxxxxxxxxx > > --816a6d09-F-- > HTTP/1.1 400 Bad Request > Content-Length: 226 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --816a6d09-H-- > Message: Access denied with code 400 (phase 1). Pattern match > "\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:sql_query. [id > "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity > "WARNING"] Action: Intercepted (phase 1) Stopwatch: 1180895844258571 > 1489 (- - -) Producer: ModSecurity v2.1.1 (Apache 2.x) > Server: Apache > > --816a6d09-Z-- > > > > <VirtualHost> > ... blah blah blah > <Directory /path/to/my.host.com/htdocs/phpmyadmin> > ... blah blah > <IfModule mod_security2.c> > SecRuleInheritance Off > SecRuleEngine Off > SecRule REQUEST_FILENAME "^/phpmyadmin" \ > "allow,phase:1,nolog,ctl:ruleEngine=Off" > </IfModule> > </Directory> > </VirtualHost> > > ------------------------------------------------------------------------ - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-users ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/