+- The Lurker Lounge Forums (https://www.lurkerlounge.com/forums)
+-- Forum: The Lurker Lounge (https://www.lurkerlounge.com/forums/forum-4.html)
+--- Forum: The Lounge (https://www.lurkerlounge.com/forums/forum-12.html)
+--- Thread: Any here a PhP genius, who is also versed in ModSecurity? (/thread-14009.html)
Any here a PhP genius, who is also versed in ModSecurity? - shoju - 06-25-2012
Here's the backstory. I know a little .php. As in, I can fumble my way through the code, I can tell what's going on, and if need be, I can edit it. I can create relatively simple new code from my own brain.
I run an online store for a company, and we are getting an error through the "modsecurity" opensource firewall that our host runs.
The error is:
ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:pDescription. [file "/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.4"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data " />\\x0d\\x0a-"] [hostname "mywebsitename"] [uri "/xxxxxx/adminprods.php"] [unique_id "T@iWJn8AAAEADQkMVd4AAABK"]
I know the action that is tripping it. When I go to an existing item in our store, to edit it (it doesn't matter the editing done, any edit works) and click "submit" to have the database update the item, I'm setting off this error, and it is then locking down some of our inventory.
I say some, because there are some items that trigger it, and some that don't.
I can't seem to figure out what is causing it to trip.
Based on the SQL Character Anomaly Detection Alert - Repetative Non-Word Characters
I thought it was the "UPC" for the item (which had a repetitive string of numbers).
But, I checked, and changed three letters, that weren't repeating, and that fixed it.
So anyway. I'm looking for a PHP person, who can help me dissect the code, and see if I can figure out what the problem is. I would go back to the software's manufacturer, but they want an astronomical amount of money. I'm fairly confident even if I throw some cash at a fellow lurker to help me out, I'm going to come out ahead.
RE: Any here a PhP genius, who is also versed in ModSecurity? - kandrathe - 06-25-2012
(06-25-2012, 05:48 PM)shoju Wrote: Based on the SQL Character Anomaly Detection Alert - Repetative Non-Word CharactersThis is your big clue.
The SQL injection prevention would be looking for special characters, not 0 through 9, A through Z, and a through z. Mostly likely you have a product name or description in the database that has either single or double quotation marks. The easiest types of SQL injection attacks just try to append something simple to a SQL statement e.g. "and 1=1".
Do you have an alternate method of getting to the data stored in the SQL database?
RE: Any here a PhP genius, who is also versed in ModSecurity? - RiotInferno - 06-25-2012
Specifically,
Quote:ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:pDescription. [file "/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.4"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data " />\\x0d\\x0a-"] [hostname "mywebsitename"] [uri "/xxxxxx/adminprods.php"] [unique_id "T@iWJn8AAAEADQkMVd4AAABK"]
the part of:
Quote:[data " />\\x0d\\x0a-"]translates to a CR;LF in ASCII. (Carriage Return; LineFeed). Check for a spurious return or \r\n in the data you are sending to SQL.
RE: Any here a PhP genius, who is also versed in ModSecurity? - shoju - 06-25-2012
Thanks for the help guys.
I do have myphp on the server that would allow me to access the data in the server. Maybe then, you can help me figure this out.
The following is the user input data from the item I found that was giving me problems.
Reference: 6.25x3.25-SRT
When I changed this reference # to
Reference: 6.25x3.25-fixed
The problem went away. Am I missing something about 6.25x3.25-SRT that could be seen as malicious?
RE: Any here a PhP genius, who is also versed in ModSecurity? - RiotInferno - 06-25-2012
(06-25-2012, 06:36 PM)shoju Wrote: Thanks for the help guys.
I do have myphp on the server that would allow me to access the data in the server. Maybe then, you can help me figure this out.
The following is the user input data from the item I found that was giving me problems.
Reference: 6.25x3.25-SRT
When I changed this reference # to
Reference: 6.25x3.25-fixed
The problem went away. Am I missing something about 6.25x3.25-SRT that could be seen as malicious?
Was there a hidden Newline at the end of the original?
RE: Any here a PhP genius, who is also versed in ModSecurity? - kandrathe - 06-25-2012
(06-25-2012, 06:36 PM)shoju Wrote: Am I missing something about 6.25x3.25-SRT that could be seen as malicious?From what you've found, I would say SRT is a reserved word. (that is if it is not the CRLF thing) Does SRT work in other places or -SRT?
RE: Any here a PhP genius, who is also versed in ModSecurity? - RiotInferno - 06-25-2012
Also, what version of ModSecurity are you running?
Edit: nevermind, CRS v2.2.4, judging from the error message
RE: Any here a PhP genius, who is also versed in ModSecurity? - shoju - 06-25-2012
And............ It has been solved.
Apparently, my hosting company migrated us from one server to another, because our bandwidth is increasing (free upgrade!) and when they did, it seems that they didn't copy over the modsecurity settings that they had on the old server, meaning I've been triggering all kinds of alarms.
RE: Any here a PhP genius, who is also versed in ModSecurity? - RiotInferno - 06-25-2012
(06-25-2012, 07:57 PM)shoju Wrote: And............ It has been solved.
Apparently, my hosting company migrated us from one server to another, because our bandwidth is increasing (free upgrade!) and when they did, it seems that they didn't copy over the modsecurity settings that they had on the old server, meaning I've been triggering all kinds of alarms.
Glad to hear it got resolved!
RE: Any here a PhP genius, who is also versed in ModSecurity? - shoju - 06-25-2012
ME TOO!
After I talked with them this morning, and they gave me the information from the one error, they said that they had reset it, and that I should look into what was causing the problem. Well, this afternoon, while doing something COMPLETELY DIFFERENT, it tripped again.
Now I knew it wasn't a "me" problem.
I love my host. I've been using them in some way shape or form for 10 years. Best rates, and best customer service on the web As far as I'm concerned.