3 Jun 20:47
Trouble with phpMyAdmin and mod_sec (getting caught in phase:1)
hanj <mailing <at> astarna.com>
2007-06-03 18:47:21 GMT
2007-06-03 18:47:21 GMT
Hello I'm having trouble the excluding phpMyAdmin from mod_sec. I've added the SecRuleInheritance Off and SecRuleEngine Off in the Directory area of my VirtualHost. This seems to apply to phase:2, but not phase:1. I'm getting a 400 status when I try to edit a record. I also tried the SecRule REQUEST_FILENAME and allowing phase:1, but I continue to get the 400 status. Here is my modsec_audit.log and below that is a view of my apache config for that directory. Any suggestions are greatly appreciated. --816a6d09-A-- [03/Jun/2007:12:37:24 --0600] vVBTC0LbO5UAAD46MaoAAAAA xxx.xxx.xxx.xxx 1359 xxx.xxx.xxx.xxx 443 --816a6d09-B-- GET /phpmyadmin/tbl_change.php?db=mydb&table=data&token=323cf89f3969db1b855a159b9b250bc3&pos=0&session_max_rows=30&disp_direction=horiz ontal&repeat_cells=100&dontlimitchars=0&primary_key=+%60data%60.%60DataID%60+%3D+702&sql_query=SELECT+%2A+FROM+%60data%60+WHERE+LastName+LIKE+%27%25doe%25%27&goto=sql.php HTTP/1.1 Host: my.host.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://my.host.com/phpmyadmin/import.php Cookie: pmaCookieVer=4; pma_collation_connection=utf8_unicode_ci; pma_charset=iso-8859-1; pma_lang=en-utf-8; phpMyAdmin=59f2e047d2c961ff55c85c430aa37934; pma_theme=original; __utma=219305993.412737841.1170700683.1180815267.1180895728.39; __utmz=219305993.1176754457.20.6.utmccn=(organic)|utmcsr=google|utmctr =kylegraybeal.com|utmcmd=organic; __utmc=219305993; highlightedTreeviewLinkt2=2; clickedFoldert2=1%5E; PHPSESSID=c81a24712fd95b0067fcdb270cfe710b; SQMSESS ID=7307a2897ae03f8c480d0282836c3bd9; __utmb=219305993 Authorization: Basic xxxxxxxxxxx --816a6d09-F-- HTTP/1.1 400 Bad Request Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 --816a6d09-H-- Message: Access denied with code 400 (phase 1). Pattern match "\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:sql_query. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] Action: Intercepted (phase 1) Stopwatch: 1180895844258571 1489 (- - -) Producer: ModSecurity v2.1.1 (Apache 2.x) Server: Apache --816a6d09-Z-- <VirtualHost> ... blah blah blah <Directory /path/to/my.host.com/htdocs/phpmyadmin> ... blah blah <IfModule mod_security2.c> SecRuleInheritance Off SecRuleEngine Off SecRule REQUEST_FILENAME "^/phpmyadmin" \ "allow,phase:1,nolog,ctl:ruleEngine=Off" </IfModule> </Directory> </VirtualHost> ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
RSS Feed