Any here a PhP genius, who is also versed in ModSecurity?
#1
Here's the backstory. I know a little .php. As in, I can fumble my way through the code, I can tell what's going on, and if need be, I can edit it. I can create relatively simple new code from my own brain.

I run an online store for a company, and we are getting an error through the "modsecurity" opensource firewall that our host runs.

The error is:

ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:pDescription. [file "/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.4"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data " />\\x0d\\x0a-"] [hostname "mywebsitename"] [uri "/xxxxxx/adminprods.php"] [unique_id "T@iWJn8AAAEADQkMVd4AAABK"]

I know the action that is tripping it. When I go to an existing item in our store, to edit it (it doesn't matter the editing done, any edit works) and click "submit" to have the database update the item, I'm setting off this error, and it is then locking down some of our inventory.

I say some, because there are some items that trigger it, and some that don't.

I can't seem to figure out what is causing it to trip.

Based on the SQL Character Anomaly Detection Alert - Repetative Non-Word Characters

I thought it was the "UPC" for the item (which had a repetitive string of numbers).

But, I checked, and changed three letters, that weren't repeating, and that fixed it.


So anyway. I'm looking for a PHP person, who can help me dissect the code, and see if I can figure out what the problem is. I would go back to the software's manufacturer, but they want an astronomical amount of money. I'm fairly confident even if I throw some cash at a fellow lurker to help me out, I'm going to come out ahead.
nobody ever slaughtered an entire school with a smart phone and a twitter account – they have, however, toppled governments. - Jim Wright
Reply
#2
(06-25-2012, 05:48 PM)shoju Wrote: Based on the SQL Character Anomaly Detection Alert - Repetative Non-Word Characters
This is your big clue.

The SQL injection prevention would be looking for special characters, not 0 through 9, A through Z, and a through z. Mostly likely you have a product name or description in the database that has either single or double quotation marks. The easiest types of SQL injection attacks just try to append something simple to a SQL statement e.g. "and 1=1".

Do you have an alternate method of getting to the data stored in the SQL database?
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.

[Image: yVR5oE.png][Image: VKQ0KLG.png]

Reply
#3
Specifically,

Quote:ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:pDescription. [file "/hsphere/local/config/httpd2/modsecurity-core-rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.4"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data " />\\x0d\\x0a-"] [hostname "mywebsitename"] [uri "/xxxxxx/adminprods.php"] [unique_id "T@iWJn8AAAEADQkMVd4AAABK"]

the part of:
Quote:[data " />\\x0d\\x0a-"]
translates to a CR;LF in ASCII. (Carriage Return; LineFeed). Check for a spurious return or \r\n in the data you are sending to SQL.
Reply
#4
Thanks for the help guys.

I do have myphp on the server that would allow me to access the data in the server. Maybe then, you can help me figure this out.

The following is the user input data from the item I found that was giving me problems.

Reference: 6.25x3.25-SRT

When I changed this reference # to

Reference: 6.25x3.25-fixed

The problem went away. Am I missing something about 6.25x3.25-SRT that could be seen as malicious?
nobody ever slaughtered an entire school with a smart phone and a twitter account – they have, however, toppled governments. - Jim Wright
Reply
#5
(06-25-2012, 06:36 PM)shoju Wrote: Thanks for the help guys.

I do have myphp on the server that would allow me to access the data in the server. Maybe then, you can help me figure this out.

The following is the user input data from the item I found that was giving me problems.

Reference: 6.25x3.25-SRT

When I changed this reference # to

Reference: 6.25x3.25-fixed

The problem went away. Am I missing something about 6.25x3.25-SRT that could be seen as malicious?

Was there a hidden Newline at the end of the original?
Reply
#6
(06-25-2012, 06:36 PM)shoju Wrote: Am I missing something about 6.25x3.25-SRT that could be seen as malicious?
From what you've found, I would say SRT is a reserved word. (that is if it is not the CRLF thing) Does SRT work in other places or -SRT?
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.

[Image: yVR5oE.png][Image: VKQ0KLG.png]

Reply
#7
Also, what version of ModSecurity are you running?
Edit: nevermind, CRS v2.2.4, judging from the error message
Reply
#8
And............ It has been solved.

Apparently, my hosting company migrated us from one server to another, because our bandwidth is increasing (free upgrade!) and when they did, it seems that they didn't copy over the modsecurity settings that they had on the old server, meaning I've been triggering all kinds of alarms.
nobody ever slaughtered an entire school with a smart phone and a twitter account – they have, however, toppled governments. - Jim Wright
Reply
#9
(06-25-2012, 07:57 PM)shoju Wrote: And............ It has been solved.

Apparently, my hosting company migrated us from one server to another, because our bandwidth is increasing (free upgrade!) and when they did, it seems that they didn't copy over the modsecurity settings that they had on the old server, meaning I've been triggering all kinds of alarms.

Glad to hear it got resolved!
Reply
#10
ME TOO!

After I talked with them this morning, and they gave me the information from the one error, they said that they had reset it, and that I should look into what was causing the problem. Well, this afternoon, while doing something COMPLETELY DIFFERENT, it tripped again.

Now I knew it wasn't a "me" problem.

I love my host. I've been using them in some way shape or form for 10 years. Best rates, and best customer service on the web As far as I'm concerned.
nobody ever slaughtered an entire school with a smart phone and a twitter account – they have, however, toppled governments. - Jim Wright
Reply


Forum Jump:


Users browsing this thread: 5 Guest(s)