coreruleset: False positive response to Cyrillic characters in a string
Description
Hello again. Again faced with the problem of Cyrillic characters and triggering rules. this time the rule worked on the combination of characters: “T!T”
Logs
mybunker_1 | 2023/04/07 07:57:06 [warn] 637#637: *55 ModSecurity: Warning. detected SQLi using libinjection. [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "45"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: sos found within ARGS:message: \x1a>>@48=0BK =0 D>B>\x0d\x0a\x0d\x0a\x11 \x1e, \x1e\x11/\x17\x10"\x15\x1b,\x1d\x1e \x1a \x1f \x1e'"\x15\x1d\x18.!\x0d\x0a\x0d\x0a-B> ?@8:>?, 53> 3;C18=0 2-4 A<, =5 =C6=> CAB@0820BL 0@E5>;>38G5A:85 @0A:>?:8. \x1f>A;5 CA?5H=KE ?>8A:> (298 characters omitted)"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [hostname "192.168.240.2"] [uri "/mail.php"] [unique_id "168085422563.651517"] [ref "v1286,812t:urlDecodeUni"], client: 192.168.240.3, server: www.example.com, request: "POST /mail.php HTTP/1.1", host: "site.ru", referrer: "http://site.ru/"
Your Environment
OWASP_CRS/3.3.2 (tag:‘paranoia-level/1’,) ModSecurity version (e.g., 2.9.6): Operating System and version: ubuntu 22.04
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 22 (12 by maintainers)
I want to add that rule 942100 is really powerful and it’s definitely one of those that I would not recommend to disable completely, I’d recommmend to just do it for your text fields. It is a very useful rule that catches a LOT of attacks. Unfortunately, the logics of what happens in this rule is completely controlled by a different project written in C (libinjection) so we cannot modify anything about it (although we can submit issues, but there is not so much development activity on it) and there are known issues with different languages 😞