coreruleset: phpMyAdmin "on" cookie blocked by libinjection

_Issue originally created by user zimmerle on date 2017-06-22 02:15:03. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/820._

quenenni commented on Wed Jun 21 2017

Debian Jessie libapache2-modsecurity v2.8.0-3 CRS v3.0.2

PhpMyAdmin is using pmaUser-2 & pmaPass-2 as cookie names. Not always, I could use PMA for a time. But it’s the second time today that suddenly, while doing stuff, modsec decided to block all my requests. And the reason was these 2 cookies.

I’m going to add an exception that stops the 2 rules when working with PMA, but aren’t those 2 rules to harsh in a general sense?

´´´ [Wed Jun 21 15:25:10.956736 2017] [:error] [pid 5924] [client xxx.xxx.xxx.xx:50902] ModSecurity: Access denied with code 412 (phase 2). detected XSS using libinjection. [file “/etc/modsecurity/REQUEST-941-APPLICATION-ATTACK-XSS.conf”] [line “64”] [id “941100”] [rev “2”] [msg “XSS Attack Detected via libinjection”] [data “Matched Data: connection found within REQUEST_COOKIES:pmaPass-2: on+BHFUPFdfsWTEJdw8wug==”] [severity “CRITICAL”] [ver “OWASP_CRS/3.0.0”] [maturity “1”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-xss”] [tag “OWASP_CRS/WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A3”] [tag “OWASP_AppSensor/IE1”] [tag “CAPEC-242”] [hostname “yyyyy.net”] [uri “/alternc-sql/index.php”] [unique_id “WUpztolKzlsAABXPBZkAAAAD”]


´´´
[Thu Jun 22 00:31:20.676606 2017] [:error] [pid 30261] [client xxx.xxx.xxx.xxx:53590] ModSecurity: Access denied with code 412 (phase 2). Pattern match "(?i)([\\\\s\\"'`;\\\\/0-9\\\\=\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]+on[a-zA-Z]+[\\\\s\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]*?=)" at REQUEST_COOKIES:pmaUser-2. [file "/etc/modsecurity/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "133"] [id "941120"] [rev "2"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 6oNo= found within REQUEST_COOKIES:pmaUser-2: ADNYD7f6oNo="] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "yyyy.net"] [uri "/alternc-sql/sql.php"] [unique_id "WUrzuIlKzlsAAHGX4rAAAAAe"]

zimmerle commented on Wed Jun 21 2017

Hi quenenni, it seems like you are facing a problem on OWASP CRS. The better approach is to open this issue on OWASP CRS Project.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 15 (1 by maintainers)

Most upvoted comments

User dune73 commented on date 2020-03-04 08:06:40:

Decision during the CRS project chat on March 2, 2020: dune73 will get in touch with the libinjection project to try and get things moving again.

https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1683#issuecomment-593584538

+1
CRS-migration-bot on May 13, 2020
Read more comments on GitHub
← coreruleset: ModSec 3.0 fails on new rule 901350 (enforce body processor URLENCODED)
coreruleset: Problem with exclusion rules and ruleRemoveTargetByTag  →