apache mod_security detects sql injection attack

[sharikov]

After new installation on a shared hosting, I get a mod_security error which then auto blocks my ip. It is falsely detecting a sql injection attack because within the pyrocms code is "user_password" which is pattern matched by ModSecurity.

This might be what happened with this issue: #630

[Thu Oct 04 19:23:57 2012] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object(?:(?:nam|typ)e|id) ..." at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "88"] [id "959904"] [msg "Blind SQL Injection Attack"] [data "user_password"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "dev.xxxxxxx.org"] [uri "/system/cms/themes/default/img/favicon.ico"] [unique_id "UG4ona3sHXIABwPFvyEAAAAa"]

[jerel]

Hmm... this seems like something that should be changed at the mod_security config level instead of changing the innocent string throughout PyroCMS.

[sharikov]

Not possible when you're using shared hosting and have no admin access to the mod_security config file. Sys admins are wary of changes to security if it might open up new vulnerabilities.

[philsturgeon]

Is this our problem? They're matching a fairly weird string. I know a LOT of applications that would throw an error here.

[philsturgeon]

I'm going to close this, it's not our fault mod_security is complaining about a very commonly used term.

[IvoMonteiro]

For those who don't want to have problems with mod_security and Sys admins, or don't have any idea how to change this permissions... Just Find/Replace on installer folder "user_password" to "another name".
Sorry Phil, I don't have a dedicated server.

[jacksoncool]

Phil your "customer service" is less than desirable! Maybe you don't care if tons of people buy and use your product, but if you do you should try to be more helpful. I've seen this from kind of attitude in other posts. you should think about it.

[philsturgeon]

I always take feedback on board, but this is a non-mover. So far 3 people have reported a problem with this, out of 60,000+ installations.

So what would you have me do? Some random module is flagging up valid code as an SQL attack for 0.005% of our users so I should recode it?

I left this open for a while and invited conversation, nobody said anything so I closed it. If any of you feel passionate about this then please do feel free to send in a pull request, but I cannot dedicate time to fixing something 0.005% of users have requested when I have functionality to build that effects 100% of the community.

Sorry if that's not the sort of attitude you'd like, but it's a realistic one.

[jacksoncool]

I can understand that reasoning...totally. I think you could rephrased your earlier answer better.." it's not our fault mod_security is complaining about a very commonly used term" ...

...to something softer... "since this is a problem only affecting XX% users...

..anyway thanks for responding.... I really do hope to try out your product.

[ryun]

Oh come on I bet it just seemed that way because he left out his smiley face ;)