coreruleset: phpMyAdmin "on" cookie blocked by libinjection
_Issue originally created by user zimmerle on date 2017-06-22 02:15:03. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/820._
quenenni commented on Wed Jun 21 2017
Debian Jessie libapache2-modsecurity v2.8.0-3 CRS v3.0.2
PhpMyAdmin is using pmaUser-2 & pmaPass-2 as cookie names. Not always, I could use PMA for a time. But it’s the second time today that suddenly, while doing stuff, modsec decided to block all my requests. And the reason was these 2 cookies.
I’m going to add an exception that stops the 2 rules when working with PMA, but aren’t those 2 rules to harsh in a general sense?
´´´ [Wed Jun 21 15:25:10.956736 2017] [:error] [pid 5924] [client xxx.xxx.xxx.xx:50902] ModSecurity: Access denied with code 412 (phase 2). detected XSS using libinjection. [file “/etc/modsecurity/REQUEST-941-APPLICATION-ATTACK-XSS.conf”] [line “64”] [id “941100”] [rev “2”] [msg “XSS Attack Detected via libinjection”] [data “Matched Data: connection found within REQUEST_COOKIES:pmaPass-2: on+BHFUPFdfsWTEJdw8wug==”] [severity “CRITICAL”] [ver “OWASP_CRS/3.0.0”] [maturity “1”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-xss”] [tag “OWASP_CRS/WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A3”] [tag “OWASP_AppSensor/IE1”] [tag “CAPEC-242”] [hostname “yyyyy.net”] [uri “/alternc-sql/index.php”] [unique_id “WUpztolKzlsAABXPBZkAAAAD”]
´´´
[Thu Jun 22 00:31:20.676606 2017] [:error] [pid 30261] [client xxx.xxx.xxx.xxx:53590] ModSecurity: Access denied with code 412 (phase 2). Pattern match "(?i)([\\\\s\\"'`;\\\\/0-9\\\\=\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]+on[a-zA-Z]+[\\\\s\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]*?=)" at REQUEST_COOKIES:pmaUser-2. [file "/etc/modsecurity/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "133"] [id "941120"] [rev "2"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 6oNo= found within REQUEST_COOKIES:pmaUser-2: ADNYD7f6oNo="] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "yyyy.net"] [uri "/alternc-sql/sql.php"] [unique_id "WUrzuIlKzlsAAHGX4rAAAAAe"]
zimmerle commented on Wed Jun 21 2017
Hi quenenni, it seems like you are facing a problem on OWASP CRS. The better approach is to open this issue on OWASP CRS Project.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 15 (1 by maintainers)
User dune73 commented on date 2020-03-04 08:06:40:
Decision during the CRS project chat on March 2, 2020: dune73 will get in touch with the libinjection project to try and get things moving again.
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1683#issuecomment-593584538