I've installed nginx with modsec with the following versions:
Modsec verion: v3.0.3
Nginx version: 1.13.6
and I've excluded rule 933160 as followed:
SecRule REQUEST_URI "@beginsWith /a/b/c/d" \
"phase:2,log,pass,id:20501,ctl:ruleRemoveById=933160"
however, the rule still triggers the following warning:
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate (2095 characters omitted)' against variable `ARGS:9ce92bb7' (Value: `<TitleBarStyle size='14'> <text xpos='6'>AcmeCorp John</text> <text xpos='6' ypos='16'>206-596-7084< (156 characters omitted)' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "311"] [id "933160"] [rev "1"] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: eval($sys.hidetabs?@dispW,($sys.ntabs==4)?@lkpg1,@lkpg1v2) found within ARGS:9ce92bb7: <TitleBarStyle size='14'> <text xpos='6'>AcmeCorp John</text> <text xpos='6' ypos='16'>206-596-7084</text> <Notifications list='*' width='$eval($sys.hidetabs?@dispW,($sys.ntabs==4)?@lkpg1,@lkpg1v2)' align='right' xpos='0'> </Notifications> </TitleBarStyle>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "172.18.0.2"] [uri "/a/b/c/d"] [unique_id "159354754554.932910"] [ref "o139,58v77,256"]
Can someone please help and point out what I've missed anything?
0 Answers