Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
phpMyAdmin "on" cookie blocked by libinjection
See original GitHub issue_Issue originally created by user zimmerle on date 2017-06-22 02:15:03. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/820._
quenenni commented on Wed Jun 21 2017
Debian Jessie libapache2-modsecurity v2.8.0-3 CRS v3.0.2
PhpMyAdmin is using pmaUser-2 & pmaPass-2 as cookie names. Not always, I could use PMA for a time. But it’s the second time today that suddenly, while doing stuff, modsec decided to block all my requests. And the reason was these 2 cookies.
I’m going to add an exception that stops the 2 rules when working with PMA, but aren’t those 2 rules to harsh in a general sense?
´´´ [Wed Jun 21 15:25:10.956736 2017] [:error] [pid 5924] [client xxx.xxx.xxx.xx:50902] ModSecurity: Access denied with code 412 (phase 2). detected XSS using libinjection. [file “/etc/modsecurity/REQUEST-941-APPLICATION-ATTACK-XSS.conf”] [line “64”] [id “941100”] [rev “2”] [msg “XSS Attack Detected via libinjection”] [data “Matched Data: connection found within REQUEST_COOKIES:pmaPass-2: on+BHFUPFdfsWTEJdw8wug==”] [severity “CRITICAL”] [ver “OWASP_CRS/3.0.0”] [maturity “1”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-xss”] [tag “OWASP_CRS/WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A3”] [tag “OWASP_AppSensor/IE1”] [tag “CAPEC-242”] [hostname “yyyyy.net”] [uri “/alternc-sql/index.php”] [unique_id “WUpztolKzlsAABXPBZkAAAAD”]
´´´
[Thu Jun 22 00:31:20.676606 2017] [:error] [pid 30261] [client xxx.xxx.xxx.xxx:53590] ModSecurity: Access denied with code 412 (phase 2). Pattern match "(?i)([\\\\s\\"'`;\\\\/0-9\\\\=\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]+on[a-zA-Z]+[\\\\s\\\\x0B\\\\x09\\\\x0C\\\\x3B\\\\x2C\\\\x28\\\\x3B]*?=)" at REQUEST_COOKIES:pmaUser-2. [file "/etc/modsecurity/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "133"] [id "941120"] [rev "2"] [msg "XSS Filter - Category 2: Event Handler Vector"] [data "Matched Data: 6oNo= found within REQUEST_COOKIES:pmaUser-2: ADNYD7f6oNo="] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "yyyy.net"] [uri "/alternc-sql/sql.php"] [unique_id "WUrzuIlKzlsAAHGX4rAAAAAe"]
zimmerle commented on Wed Jun 21 2017
Hi quenenni, it seems like you are facing a problem on OWASP CRS. The better approach is to open this issue on OWASP CRS Project.
Issue Analytics
- State:
- Created 3 years ago
- Comments:15
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
User dune73 commented on date 2020-03-04 08:06:40:
Decision during the CRS project chat on March 2, 2020: dune73 will get in touch with the libinjection project to try and get things moving again.
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1683#issuecomment-593584538
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days