932200 FP - URL with a query string encoded within a query string parameter #1835
Comments
|
I also noticed this false positive. Do you think we could restrict the regexp, @theMiddleBlue ? Maybe it's an option to exclude |
|
I was not thinking of all the options, you can do |
|
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days |
|
@theMiddleBlue, you got this issue assigned last Summer. I do not remember whether you volunteered or whether we pushed this on you. But either way, the issue is stale now and might get closed. Are you still interested in fixing it? |
|
Here is my minimal call to trigger this FP at PL2: |
|
I completely missed that, tnx. I'm working on it |
|
I have a problem on reproducing it on Nginx+v3, it seems that both requests don't trigger any rules on my env. Tried:
uhm, any hint? it can be possible that apache and nginx have different behavior in this specific rule? |
|
Hmm. I can reproduce it on NGINX easily. Here is my config: issue-1835.zip nginx: 1.13.2 |
Uh oh!
There was an error while loading. Please reload this page.
Description
The following request triggers a false positive:
/www/script.php?a=1&b=2&c=3&d=https%3A%2F%2Fwww.example.co.uk%2Fa%2Fb%2Fa-bc-z%2F25381&referer=https%3A%2F%2Fwww.example.co.uk%2Fa%2Fsearch%3Fb%3DBc%2Bz%26s%3D2019-08-01%26e%3D2021-04-30%26r%3D25%26d%3D&cb=6a22b65d22Message: Warning. Pattern match "\\s" at MATCHED_VAR. [file "/etc/httpd/modsecurity.d/owasp-crs-modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "633"] [id "932200"] [msg "RCE Bypass Technique"] [data "Matched Data: /search? found within MATCHED_VAR: https://www.example.co.uk/a/search?b=bc z&s=2019-08-01&e=2021-04-30&r=25&d="]Audit Logs / Triggered Rule Numbers
Your Environment
Confirmation
[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: