通过启用modsecurity_crs_41_sql_injection_attacks，所有提交表单都被禁止返回403

Question

我安装并激活了模块mod_security。然后我启用了modsecurity_crs_41_sql_injection_attacks.conf.

对于每个表单，当我提交时，禁止错误403。

错误日志：

[Wed Nov 15 16:53:03.324516 2017] [:error] [pid 27760] [client] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS_NAMES:field_cl_address[0][format]. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: ] found within ARGS_NAMES:field_cl_address[0][format]: field_cl_address[0][format]"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.d8.dev.xxxx"] [uri "/node/add/occlient/19784"] [unique_id "Wgxw738AAQEAAGxw91sAAAAO"]

有人能解释原因吗？

Answer 1

我通过查阅日志找到了解决方案：

[Wed Nov 15 16:53:03.313249 2017] [:error] [pid 27752] [client 54.208.242.36] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)" at ARGS:field_cl_ref_no[508752]. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common Injection Testing Detected"] [data "Matched Data: '\\x22 found within ARGS:field_cl_ref_no[508752]: '\\x22()"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.d8.dev.xxxx"] [uri "/node/add/occlient/19784"] [unique_id "Wgxw738AAQEAAGxoJOMAAAAH"]

[Wed Nov 15 17:19:51.286111 2017] [:error] [pid 28380] [client] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:\\\\A|[^\\\\d])0x[a-f\\\\d]{3,}[a-f\\\\d]*)+" at ARGS:form_token. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "55"] [id "981260"] [rev "2"] [msg "SQL Hex Encoding Identified"] [data "Matched Data: E0X10B found within ARGS:form_token: xCyRB87OqEoGB47ngDdQJ0gVaIa5fy4JtgE0X10BVW0"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "d8.dev.xxxx"] [uri "/node/1369392/edit"] [unique_id "Wgx3N38AAQEAAG7cNtYAAAAK"]

我在vhost中禁用了id 981173和981260的规则，然后它转动。

<Directory /var/www/html>
                Order allow,deny
                Allow from all
                Options +FollowSymLinks +ExecCGI
                RewriteEngine On
                AllowOverride All

            <IfModule security2_module>
                    SecRuleRemoveById 981245
                    SecRuleRemoveById 981248
                    SecRuleRemoveById 981173
                    SecRuleRemoveById 981231
                    SecRuleRemoveById 950901
                    SecRuleRemoveById 981260
            </IfModule>


    </Directory>