Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
SQLi rule 942410 could use word separators
See original GitHub issue_Issue originally created by user lifeforms on date 2017-05-02 10:58:59. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/761._
Got a false positive for Zomerzangweek (9 t/m 12 jaar)
Message: Warning. Pattern match "(?i:(?:(?:s(?:t(?:d(?:dev(_pop|_samp)?)?|r(?:_to_date|cmp))|u(?:b(?:str(?:ing(_index)?)?|(?:dat|tim)e)|m)|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha(1|2)?|oundex|chema|ig?n|pace|qrt)|i(?:s(null|_(free_lock|ipv4_compat|ipv4_mapped|ipv4|ipv ..." at ARGS:menu-item[-26][menu-item-title]. [file "/etc/apache2/security2/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "961"] [id "942410"] [rev "2"] [msg "SQL Injection Attack"] [data "Matched Data: week ( found within ARGS:menu-item[-26][menu-item-title]: Zomerzangweek (9 t/m 12 jaar)"]
Seems to me that we could look for a \b word separator at the start of the SQL keywords without ill effects.
The 942410 regexp is pretty daunting though. Let’s hope we got the source for this regexp from Ofer.
Issue Analytics
- State:
- Created 3 years ago
- Comments:8
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
User franbuehler commented on date 2017-06-04 07:48:40:
The FP should be resolved with PR 791. And yes, dune73, I’ve almost finished disassembling the regexp. I’ll finish, test and then make a PR for 3.1/dev.
User ketaanhshah commented on date 2019-07-11 15:03:35:
franbuehler dune73 hey guys we got a 942410 exception where it caught it where the match was " is (" basically it is a legitimate one for us as our businessType Arguments have a value which containg " is (" and now what we have to do here is to disable this 942410 rule on WAF… you think this is correct? I know we can simply exclude the ARGS (businessType) but we may get more new Arguments 😦.