4.2.4 mod_sec matching

Discussion in 'Bug Reports' started by XN-Matt, Aug 27, 2013.

  1. XN-Matt

    XN-Matt Member

    Following on from the previous thread.

    Assuming the latest build fixes what was discussed there. We're now seeing the below error which did not occur in 4.2.3.


    Message: [client x] mod_security: Access denied with code 403, [Rule: 'REQUEST_COOKIES' '(?:(\w+)(?:user|and)(\w+)char\([0-9]+\)|(?:execute|convert)\(|; ?delete.*;(?:insert|declare|varchar) ?|and .* \(select |(?:drop|create)(\w+)table |(?:declare|convert) .* varchar\(|null ?, ?null ?, ?(?:accesslevel|user_?name) ?,|concat\(|union select |union all select|\b\W*?cast\b\W*?\(.* as |xecresultset|' ?; ?declare\b\W*?|; ?set @|select (?:load_file|char\()|(?:insert|remark)test;)'] [ID "340181"] [Msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection"] [severity "CRITICAL"] [MatchedString "whmcsojd9ztq3rccm=00710d548692b118b3aff89186bdee1f; whmcsfd=ytoxontzojc6imnsawvudhmio2e6mtm6e3m6njoidxnlcmlkijtzoja6iii7czo3oijjb3vudhj5ijtzoja6iii7czoxmdoiy2xpzw50bmftzsi7czowoiiio3m6mte6imnvbxbhbnluyw1lijtzoja6iii7czo1oijlbwfpbci7czowoiiio3m6nzoiywrkcmvzcyi7czowoiiio3m6njoic3rhdhvzijtzoja6iii7czo1oijzdgf0zsi7czowoiiio3m6mte6imnsawvudgdyb3vwijtzoja6iii7czoxmtoicghvbmvudw1izxiio3m6mdoiijtzojg6imn1cnjlbmn5ijtzoja6iii7czoxmjoiy2fyzgxhc3rmb3vyijtzoja6iii7czoxmjoiy3vzdg9tzmllbgrzijtzoja6iii7fx0%3d"]


    Looks like another error in LS.
  2. mistwang

    mistwang LiteSpeed Staff

    We could not reproduced it with the logged data.
    Do you or your client know which request causeing this. If this can be reproduced, please capture the request data for us.

    The easiest way is to use chrome tools->"Developer Tool". click "network" tab. locate the request url, right click, then select "Copy as cURL". paste it to a text file, then send it to us.
  3. mistwang

    mistwang LiteSpeed Staff

    Or, you can enable mod_security audit log, and send us the log related.
  4. mistwang

    mistwang LiteSpeed Staff

    We have fixed it this issue in latest 4.2.4 build based on information collected from another user experiencing similar problem.

Share This Page