Giters

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

Home Page:https://modsecurity.org/crs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

false positive on rule 932110

randyoo opened this issue · comments

commented

Not running Windows anyway, so I've already taken the opportunity to disable this rule entirely. Still, figured it was worth reporting an "out-of-the-box" false positive, as per the documentation in crs-setup.conf.

It looks like the word "Call" on a new line (following "\x0a") is triggering the rule. Relevant portion of audit logs follow.

Audit Logs / Triggered Rule Numbers

--7d028311-A--
[08/May/2020:02:42:21 --0400] XrT-TWsyYm7U1RzhvOCD2gAAAAM xxx.xx.xxx.xxx 15678 xxx.xx.xxx.xxx 443
--7d028311-B--
POST /?task=save HTTP/1.1
Host: xxxxxxx.xxx
Connection: Keep-Alive
Accept-Encoding: gzip
CF-IPCountry: DE
X-Forwarded-For: xxx.xx.xxx.xxx
CF-RAY: 590133435ff5d6b5-FRA
Content-Length: 5499
X-Forwarded-Proto: https
CF-Visitor: {"scheme":"https"}
cache-control: max-age=0
upgrade-insecure-requests: 1
origin: https://xxxxxx.org
content-type: multipart/form-data; boundary=----WebKitFormBoundaryU51tVXBl2qAsw5SB
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
referer: https://xxxxxxx.org/post_ad?catid=4
accept-language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7
cookie: plg_system_eprivacy=2020-05-07x2020-11-07x; __cfduid=d4206e703262bc178c545b2772258d2b21588851892; _ga=GA1.2.1070711900.1588851893; _gid=GA1.2.1058449204.1588851893; __utmz=158475180.1588874258.2.2.utmcsr=ema$
CF-Request-ID: 02949e5e120000d6b52aa0b200000001
CF-Connecting-IP: xxx.xx.xxx.xxx
CDN-Loop: cloudflare

--7d028311-C--
------WebKitFormBoundaryU51tVXBl2qAsw5SB
Content-Disposition: form-data; name="name"

XXXXX XXXXXXXXX
------WebKitFormBoundaryU51tVXBl2qAsw5SB
Content-Disposition: form-data; name="email"

XXXXXXXX@xxxxxxxxxx.de
------WebKitFormBoundaryU51tVXBl2qAsw5SB
Content-Disposition: form-data; name="ad_text"

Blah blah blah, snip.
104 KW , 141 HP
2 Wheel Drive, Manual Transmission
Call xxx @ cellphone: (123) 334-1111
Or at home:  XXXXX XXXX

--7d028311-F--
HTTP/1.1 403 Forbidden
X-Content-Type-Options: nosniff
Content-Length: 199
Connection: close
Content-Type: text/html; charset=iso-8859-1

--7d028311-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

--7d028311-H--
Message: Warning. Pattern match "(?i)(?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|`)\\s*[\\(,@\\'\"\\s]*(?:[\\w'\"\\./]+/|[\\\\'\"\\^]*\\w[\\\\'\"\\^]*:.*\\\\|[\\^\\.\\w '\"/\\\\]*\\\\)?[\"\\^]*(?:m[\"\\^]*(?:y[\"\\^]*s[\"\\^]*
snip
msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: \\x0d\\x0aCall xxx @ cellphone: (123) 334-1111
snip
Action: Intercepted (phase 2)
Stopwatch: 1588920141379066 19647 (- - -)
Stopwatch2: 1588920141379066 19647; combined=18244, p1=704, p2=17261, p3=0, p4=0, p5=278, sr=46, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0; CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--7d028311-Z--

Your Environment

  • CRS version (e.g., v3.2.0): 3.2.0
  • Paranoia level setting: default (1)
  • ModSecurity version (e.g., 2.9.3): 2.9.2
  • Web Server and version (e.g., apache 2.4.41): 2.4.29-1ubuntu4.13
  • Operating System and version: ubuntu 18.04 lts, running Joomla

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.