False positive on any page containing "<b>WARNING</b>:"

_Issue originally created by user DuncanMcArdle on date 2018-09-07 10:27:37. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1182._

Type of Issue

Incorrect blocking (false positive)

Description

Mod Security with OWASP’s rule set is blocking any page containing <b>WARNING</b>: (case insensitive, colon required). It cites the “RESPONSE-953-DATA-LEAKAGES.conf” file but I can find no reference to it in there.

---jDNIYUfC---A--
[07/Sep/2018:11:07:26 +0100] 153631484620.247675 <REMOVED> 65000 <REMOVED> 443
---jDNIYUfC---B--
GET /modsectest/page1c.php HTTP/1.1
Host: <REMOVED>.co.uk
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,en-GB;q=0.8

---jDNIYUfC---D--

---jDNIYUfC---E--
<b>WARNING</b>:\x0d\x0a

---jDNIYUfC---F--
HTTP/1.1 200
Server: nginx/1.15.3
Date: Fri, 07 Sep 2018 10:07:26 GMT
Content-Length: 17
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

---jDNIYUfC---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `php-errors.data' against variable `RESPONSE_BODY' (Value: `<b>WARNING</b>:\x0d\x0a' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "17"] [id "953100"] [rev "3"] [msg "PHP Information Leakage"] [data "Matched Data: <b>Warning</b>: found within RESPONSE_BODY: <b>WARNING</b>:\x0d\x0a"] [severity "3"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-disclosure"] [tag "OWASP_CRS/LEAKAGE/ERRORS_PHP"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "192.168.1.254"] [uri "/modsectest/page1c.php"] [unique_id "153631484620.247675"] [ref "o0,15v443,17"]
ModSecurity: Access denied with code 200 (phase 4). Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "165"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 4)"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "192.168.1.254"] [uri "/modsectest/page1c.php"] [unique_id "153631484620.247675"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf"] [line "67"] [id "980140"] [rev ""] [msg "Outbound Anomaly Score Exceeded (score 4): PHP Information Leakage"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "192.168.1.254"] [uri "/modsectest/page1c.php"] [unique_id "153631484620.247675"] [ref ""]

---jDNIYUfC---I--

---jDNIYUfC---J--

---jDNIYUfC---Z--

Your Environment

• CRS version: 3.0.2
• ModSecurity version: 3.0.0 (NginX)
• Web Server and version: NginX 1.15.3
• Operating System and version: Ubuntu 16.04 LTS

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.