4.2.4 mod_sec matching

XN-Matt

Well-Known Member
#1
Following on from the previous thread.

Assuming the latest build fixes what was discussed there. We're now seeing the below error which did not occur in 4.2.3.


Message: [client x] mod_security: Access denied with code 403, [Rule: 'REQUEST_COOKIES' '(?:(\w+)(?:user|and)(\w+)char\([0-9]+\)|(?:execute|convert)\(|; ?delete.*;(?:insert|declare|varchar) ?|and .* \(select |(?:drop|create)(\w+)table |(?:declare|convert) .* varchar\(|null ?, ?null ?, ?(?:accesslevel|user_?name) ?,|concat\(|union select |union all select|\b\W*?cast\b\W*?\(.* as |xecresultset|' ?; ?declare\b\W*?|; ?set @|select (?:load_file|char\()|(?:insert|remark)test;)'] [ID "340181"] [Msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Generic SQL inline command protection"] [severity "CRITICAL"] [MatchedString "whmcsojd9ztq3rccm=00710d548692b118b3aff89186bdee1f; whmcsfd=ytoxontzojc6imnsawvudhmio2e6mtm6e3m6njoidxnlcmlkijtzoja6iii7czo3oijjb3vudhj5ijtzoja6iii7czoxmdoiy2xpzw50bmftzsi7czowoiiio3m6mte6imnvbxbhbnluyw1lijtzoja6iii7czo1oijlbwfpbci7czowoiiio3m6nzoiywrkcmvzcyi7czowoiiio3m6njoic3rhdhvzijtzoja6iii7czo1oijzdgf0zsi7czowoiiio3m6mte6imnsawvudgdyb3vwijtzoja6iii7czoxmtoicghvbmvudw1izxiio3m6mdoiijtzojg6imn1cnjlbmn5ijtzoja6iii7czoxmjoiy2fyzgxhc3rmb3vyijtzoja6iii7czoxmjoiy3vzdg9tzmllbgrzijtzoja6iii7fx0%3d"]


Looks like another error in LS.
 

mistwang

LiteSpeed Staff
#2
We could not reproduced it with the logged data.
Do you or your client know which request causeing this. If this can be reproduced, please capture the request data for us.

The easiest way is to use chrome tools->"Developer Tool". click "network" tab. locate the request url, right click, then select "Copy as cURL". paste it to a text file, then send it to us.
 

mistwang

LiteSpeed Staff
#4
We have fixed it this issue in latest 4.2.4 build based on information collected from another user experiencing similar problem.
 
Top