mod_security规则981172误报 [英] mod_security rule 981172 false positive

问题描述

运行Grav CMS时，Apache的CWP7.admin上的mod_security配置生成403 access denied错误:

The mod_security configuration in Apache, on the CWP7.admin, generates a 403 access denied error when running Grav CMS:

[2019年3月21日星期四15:40:47.967502] [:错误] [pid 21727:tid 140715786946304] [客户端186.67.206.59:57900] [客户端186.67.206.59] ModSecurity:使用代码403(阶段2)拒绝访问.模式匹配([[\\〜\\！\\ @ \\ ## \ $$ \\％\\ ^ \\& \\ * \\((\\)\\-\\ + \\ == \\ {\\} \\ [[\\] \\ | \\ :: \\; \"\\'\\\ xc2 \ xb4 \\\\ xe2 \ x80 \ x99 \\\ xe2 \ x80 \ x98 \\\\\\\\ \< \\>].*?){8，}位于REQUEST_COOKIES:grav-tabs-state.[文件"/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf] [行"157"] [id"981172"] [rev"2"] [msg限制的SQL字符异常检测警报-超出了特殊字符的总数"] [数据"匹配的数据:在REQUEST_COOKIES:grav-tabs-中找到\ x22状态:{\ x22tab-content.options.advanced \ x22:\ x22data.content \ x22，\ x22tab-content.options \ x22:\ x22data.content \ x22，\ x22tab-content.options.advanced.blog \ x22: \ x22data.options \ x22}] [ver" OWASP_CRS/2.2.9] [到期日" 9] [准确性" 8] [标记" OWASP_CRS/WEB_ATTACK/SQL_INJECTION] [主机名" xxxxxxxx.com] [ uri"/favicon.ico"] [unique_id"XJOwf0cQATwA6mgjE8O7AwAAANc"]，引荐来源网址: http://xxxxxxxx.com/

此错误仅在第二次访问该网站时发生，因此很难解决.

This error only happens when visiting the website a second time, making it very hard to solve.

推荐答案

检查日志后，我发现由mod_security生成的基于Grav CMS的网站具有相同的错误模式. Barry Pollard的回答指导了我的解决方案

Upon inspecting the logs, I found the same pattern of errors for Grav CMS based sites generated by mod_security. This answer by Barry Pollard guided my solution

该错误表明mod_security规则阻止了我的请求:

The error noted the mod_security rule blocking my request:

/usr/local/apache/modsecurity-owasp-old/base_rules/ modsecurity_crs_41_sql_injection_attacks.conf

对应的行

[第157行]

[line "157"]

及其ID

[id"981172"]

[id "981172"]

使用Barry的建议，我在规则后添加了以下行:

Using the advice from Barry , I added the following line after the rule:

SecRuleUpdateTargetById 981172 !REQUEST_COOKIES:grav-tabs-state

在这种情况下，我要让mod_security从规则981172中省略REQUEST_COOKIES:grav-tabs-state.这解决了这个问题.

In this case I'm asking mod_security to omit REQUEST_COOKIES:grav-tabs-state from the rule 981172. This solved the issue.

衷心感谢@barrypollard

Thanks from the bottom of my heart to @barrypollard

这篇关于mod_security规则981172误报的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！