2

Hi I have mod_security enabled on a centos5 server and one of the rules is keeping a user from posting some text on a form. The text is legitimate but it has the words 'create' and an html <table> tag later in it so it is causing a false positive.

The error I am receiving is below:

[Sun Apr 25 20:36:53 2010] [error] [client 76.171.171.xxx] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at ARGS:body. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "352"] [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "www.mysite.com"] [uri "/node/181/edit"] [unique_id "@TaVDEWnlusAABQv9@oAAAAD"]

and here is /usr/local/apache/conf/modsec2.user.conf (line 352)

#Generic SQL sigs SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:1,rev:1,severity:2,msg:'Generic SQL injection protection'"

The questions I have are:

  1. What should I do to "whitelist" or allow this rule to get through?
  2. What file do I create and where?
  3. How should I alter this rule?
  4. Can I set it to only be allowed for the one domain, since it is the only one having the issue on this dedicated server or is there a better way to exclude table tags perhaps?

Thanks guys

nicholas.alipaz
  • 155
  • 2
  • 7

1 Answers1

4

You can disable the ModSecurity on a specific URL with LocationMatch directive, something like this:

<LocationMatch "/node/181/edit">
  <IfModule mod_security2.c>
    SecRuleEngine Off 
  </IfModule>
</LocationMatch>

http://www.atomicorp.com/wiki/index.php/Mod_security

quanta
  • 50,327
  • 19
  • 152
  • 213