mod_security 规则 981172 误报
mod_security rule 981172 false positive
Apache 中的 mod_security 配置,在 CWP7.admin 上,当 运行 Grav CMS:
时生成 403 access denied 错误
[Thu Mar 21 15:40:47.967502 2019] [:error] [pid 21727:tid 140715786946304] [client 186.67.206.59:57900] [client 186.67.206.59] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\\xc2\xb4\\xe2\x80\x99\\xe2\x80\x98\`\<\>].*?){8,}" at REQUEST_COOKIES:grav-tabs-state. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \x22 found within REQUEST_COOKIES:grav-tabs-state: {\x22tab-content.options.advanced\x22:\x22data.content\x22,\x22tab-content.options\x22:\x22data.content\x22,\x22tab-content.options.advanced.blog\x22:\x22data.options\x22}"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "xxxxxxxx.com"] [uri "/favicon.ico"] [unique_id "XJOwf0cQATwA6mgjE8O7AwAAANc"], referer: http://xxxxxxxx.com/
这个错误只有在第二次访问该网站时才会出现,很难解决。
检查日志后,我发现 mod_security 生成的基于 Grav CMS 的站点也存在相同的错误模式。
错误指出 mod_security 规则阻止了我的请求:
/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
对应行
[line "157"]
及其 ID
[id "981172"]
根据 Barry 的建议,我在规则后添加了以下行:
SecRuleUpdateTargetById 981172 !REQUEST_COOKIES:grav-tabs-state
在这种情况下,我要求 mod_security 从规则 981172 中省略 REQUEST_COOKIES:grav-tabs-state。这解决了问题。
衷心感谢@barrypollard
Apache 中的 mod_security 配置,在 CWP7.admin 上,当 运行 Grav CMS:
时生成403 access denied 错误
[Thu Mar 21 15:40:47.967502 2019] [:error] [pid 21727:tid 140715786946304] [client 186.67.206.59:57900] [client 186.67.206.59] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\\xc2\xb4\\xe2\x80\x99\\xe2\x80\x98\`\<\>].*?){8,}" at REQUEST_COOKIES:grav-tabs-state. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \x22 found within REQUEST_COOKIES:grav-tabs-state: {\x22tab-content.options.advanced\x22:\x22data.content\x22,\x22tab-content.options\x22:\x22data.content\x22,\x22tab-content.options.advanced.blog\x22:\x22data.options\x22}"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "xxxxxxxx.com"] [uri "/favicon.ico"] [unique_id "XJOwf0cQATwA6mgjE8O7AwAAANc"], referer: http://xxxxxxxx.com/
这个错误只有在第二次访问该网站时才会出现,很难解决。
检查日志后,我发现 mod_security 生成的基于 Grav CMS 的站点也存在相同的错误模式。
错误指出 mod_security 规则阻止了我的请求:
/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
对应行
[line "157"]
及其 ID
[id "981172"]
根据 Barry 的建议,我在规则后添加了以下行:
SecRuleUpdateTargetById 981172 !REQUEST_COOKIES:grav-tabs-state
在这种情况下,我要求 mod_security 从规则 981172 中省略 REQUEST_COOKIES:grav-tabs-state。这解决了问题。
衷心感谢@barrypollard