How to disable mod_security2 rule (false positive) for one domain on centos 5

Posted by nicholas.alipaz on Server Fault See other posts from Server Fault or by nicholas.alipaz
Published on 2010-04-26T03:21:26Z Indexed on 2010/04/26 4:53 UTC
Read the original article Hit count: 319

Filed under:

web-development

|

server

|

apache2

|

mod-security

|

system-administration

Hi I have mod_security enabled on a centos5 server and one of the rules is keeping a user from posting some text on a form. The text is legitimate but it has the words 'create' and an html <table> tag later in it so it is causing a false positive.

The error I am receiving is below:

[Sun Apr 25 20:36:53 2010] [error] [client 76.171.171.xxx] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at ARGS:body. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "352"] [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "www.mysite.com"] [uri "/node/181/edit"] [unique_id "@TaVDEWnlusAABQv9@oAAAAD"]

and here is /usr/local/apache/conf/modsec2.user.conf (line 352)

#Generic SQL sigs SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:1,rev:1,severity:2,msg:'Generic SQL injection protection'"

The questions I have are:

What should I do to "whitelist" or allow this rule to get through?
What file do I create and where?
How should I alter this rule?
Can I set it to only be allowed for the one domain, since it is the only one having the issue on this dedicated server or is there a better way to exclude table tags perhaps?

Thanks guys

© Server Fault or respective owner

How to disable mod_security2 rule (false positive) for one domain on centos 5

Posted by nicholas.alipaz on Stack Overflow See other posts from Stack Overflow or by nicholas.alipaz
Published on 2010-04-26T03:21:26Z Indexed on 2010/04/26 3:23 UTC
Read the original article Hit count: 319

Filed under:

web-development

|

server

|

apache2

|

mod-security

|

system-administration

Hi I have mod_security enabled on a centos5 server and one of the rules is keeping a user from posting some text on a form. The text is legitimate but it has the words 'create' and an html <table> tag later in it so it is causing a false positive.

The error I am receiving is below:

[Sun Apr 25 20:36:53 2010] [error] [client 76.171.171.xxx] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at ARGS:body. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "352"] [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "www.mysite.com"] [uri "/node/181/edit"] [unique_id "@TaVDEWnlusAABQv9@oAAAAD"]

and here is /usr/local/apache/conf/modsec2.user.conf (line 352)

#Generic SQL sigs SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:1,rev:1,severity:2,msg:'Generic SQL injection protection'"

The questions I have are:

What should I do to "whitelist" or allow this rule to get through?
What file do I create and where?
How should I alter this rule?
Can I set it to only be allowed for the one domain, since it is the only one having the issue on this dedicated server or is there a better way to exclude table tags perhaps?

Thanks guys

© Stack Overflow or respective owner

Related posts about web-development

Web Development - How to Get Started in Web Development

as seen on Ezine Articles - Search for 'Ezine Articles'
11 years ago I purchased a book about basic HTML development. A purchase that would end up defining my entire professional career. I bought it because I wanted to create a web page for a school project. This was in the days of Geo city sites and it looked absolutely horrible. >>> More
PHP Web Development, Web Development Using PHP As an Open Source

as seen on Ezine Articles - Search for 'Ezine Articles'
PHP is a widely-used general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is the most famous language nowadays as it is an open source and web development requires no costs in implementation. >>> More
How to get full query string parameters not UrlDecoded

as seen on Developer IT - Search for 'Developer IT'
Introduction While developing Developer IT’s website, we came across a problem when the user search keywords containing special character like the plus ‘+’ char. We found it while looking for C++ in our search engine. The request parameter output in ASP.NET was “c “.… >>> More
Tracking download of non-html (like pdf) downloads with jQuery and Google Analytics

as seen on Developer IT - Search for 'Developer IT'
Hi folks, it’s been quite calm at Developer IT’s this summer since we were all involved in other projects, but we are slowly comming back. In this post, we will present a simple way of tracking files download with Google Analytics with the help of jQuery. We work for a client that offers… >>> More
What is the best .NET web development framework?

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm looking for a framework to simplify the creation of a website with social networking features and plenty of custom functionality. I'm quite keen to use an ORM like nHibernate or similar for data access. Would DotNetNuke be a good choice? Or are there other options which are better. Added: I'm… >>> More

Related posts about server

SQL SERVER – Server Side Paging in SQL Server 2011 Performance Comparison

as seen on SQL Authority - Search for 'SQL Authority'
Earlier, I have written about SQL SERVER – Server Side Paging in SQL Server 2011 – A Better Alternative. I got many emails asking for performance analysis of paging. Here is the quick analysis of it. The real challenge of paging is all the unnecessary IO reads from the database. Network traffic was… >>> More
Should I switch my server to Ubuntu Server from Windows Server 2003

as seen on Server Fault - Search for 'Server Fault'
I have a server thats primarily used for SRCDS, I host a few Team Fortress 2 servers on it and I would much prefer a ssh-like (more so the no-gui part) for something like this, mostly because I can't navigate with my phone on VNC very well and also because there really is no need for a gui in this… >>> More
Windows web server and SQL Server on same dedicated server

as seen on Server Fault - Search for 'Server Fault'
I'm currently trying to decide on the best approach to handle hosting a few moderate traffic websites for production e-commerce and online applications. We'd like to move to a dedicated server and are looking at this as the most likely machine: Quad Core Intel Core2Quad Q9550 Processor, 2.83 Ghz… >>> More
Windows 7 Desktop/Start Menu Redirection: Server O/S: Windows Server 2003 And Server 2008

as seen on Super User - Search for 'Super User'
Hi, I am new here so I am might be asking a question which has already been answered [however I can't see it in the suggested answers above] I manage a network which is split into a parent domain and a child domain. Recently I have been looking at when to migrate to Windows 7. The child domain… >>> More
Windows 7 Desktop/Start Menu Redirection: Server O/S: Windows Server 2003 And Server 2008

as seen on Server Fault - Search for 'Server Fault'
Hi, I am new here so I am might be asking a question which has already been answered [however I can't see it in the suggested answers above] I manage a network which is split into a parent domain and a child domain. Recently I have been looking at when to migrate to Windows 7. The child domain… >>> More