New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

apache mod_security detects sql injection attack #1927

Closed
sharikov opened this Issue Oct 5, 2012 · 9 comments

Comments

Projects
None yet
6 participants
@sharikov

sharikov commented Oct 5, 2012

After new installation on a shared hosting, I get a mod_security error which then auto blocks my ip. It is falsely detecting a sql injection attack because within the pyrocms code is "user_password" which is pattern matched by ModSecurity.

This might be what happened with this issue: #630

[Thu Oct 04 19:23:57 2012] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object(?:(?:nam|typ)e|id) ..." at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "88"] [id "959904"] [msg "Blind SQL Injection Attack"] [data "user_password"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "dev.xxxxxxx.org"] [uri "/system/cms/themes/default/img/favicon.ico"] [unique_id "UG4ona3sHXIABwPFvyEAAAAa"]

@jerel

This comment has been minimized.

Member

jerel commented Oct 10, 2012

Hmm... this seems like something that should be changed at the mod_security config level instead of changing the innocent string throughout PyroCMS.

@sharikov

This comment has been minimized.

sharikov commented Oct 10, 2012

Not possible when you're using shared hosting and have no admin access to the mod_security config file. Sys admins are wary of changes to security if it might open up new vulnerabilities.

@philsturgeon

This comment has been minimized.

Member

philsturgeon commented Oct 15, 2012

Is this our problem? They're matching a fairly weird string. I know a LOT of applications that would throw an error here.

@philsturgeon

This comment has been minimized.

Member

philsturgeon commented Dec 12, 2012

I'm going to close this, it's not our fault mod_security is complaining about a very commonly used term.

@IvoMonteiro

This comment has been minimized.

IvoMonteiro commented Dec 14, 2012

For those who don't want to have problems with mod_security and Sys admins, or don't have any idea how to change this permissions... Just Find/Replace on installer folder "user_password" to "another name".
Sorry Phil, I don't have a dedicated server.

@jacksoncool

This comment has been minimized.

jacksoncool commented Apr 11, 2013

Phil your "customer service" is less than desirable! Maybe you don't care if tons of people buy and use your product, but if you do you should try to be more helpful. I've seen this from kind of attitude in other posts. you should think about it.

@philsturgeon

This comment has been minimized.

Member

philsturgeon commented Apr 11, 2013

I always take feedback on board, but this is a non-mover. So far 3 people have reported a problem with this, out of 60,000+ installations.

So what would you have me do? Some random module is flagging up valid code as an SQL attack for 0.005% of our users so I should recode it?

I left this open for a while and invited conversation, nobody said anything so I closed it. If any of you feel passionate about this then please do feel free to send in a pull request, but I cannot dedicate time to fixing something 0.005% of users have requested when I have functionality to build that effects 100% of the community.

Sorry if that's not the sort of attitude you'd like, but it's a realistic one.

@jacksoncool

This comment has been minimized.

jacksoncool commented Apr 11, 2013

I can understand that reasoning...totally. I think you could rephrased your earlier answer better.." it's not our fault mod_security is complaining about a very commonly used term" ...

...to something softer... "since this is a problem only affecting XX% users...

..anyway thanks for responding.... I really do hope to try out your product.

@ryun

This comment has been minimized.

ryun commented Apr 11, 2013

Oh come on I bet it just seemed that way because he left out his smiley face ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment