SQLi rule 942410 could use word separators
See original GitHub issue_Issue originally created by user lifeforms on date 2017-05-02 10:58:59. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/761._
Got a false positive for Zomerzangweek (9 t/m 12 jaar)
Message: Warning. Pattern match "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv ..." at ARGS:menu-item[-26][menu-item-title]. [file "/etc/apache2/security2/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "961"] [id "942410"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: week ( found within ARGS:menu-item[-26][menu-item-title]: Zomerzangweek (9 t/m 12 jaar)"]
Seems to me that we could look for a \b
word separator at the start of the SQL keywords without ill effects.
The 942410 regexp is pretty daunting though. Let’s hope we got the source for this regexp from Ofer.
Issue Analytics
- State:
- Created 3 years ago
- Comments:8
Top GitHub Comments
User franbuehler commented on date 2017-06-04 07:48:40:
The FP should be resolved with PR 791. And yes, dune73, I’ve almost finished disassembling the regexp. I’ll finish, test and then make a PR for 3.1/dev.
User ketaanhshah commented on date 2019-07-11 15:03:35:
franbuehler dune73 hey guys we got a 942410 exception where it caught it where the match was " is (" basically it is a legitimate one for us as our businessType Arguments have a value which containg " is (" and now what we have to do here is to disable this 942410 rule on WAF… you think this is correct? I know we can simply exclude the ARGS (businessType) but we may get more new Arguments 😦.