8000 932239 blocking Mozilla user-agents | Matched Data: ; PG found · Issue #3725 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

932239 blocking Mozilla user-agents | Matched Data: ; PG found #3725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
isniukArte opened this issue May 30, 2024 · 1 comment · Fixed by #3727 or #3735
Closed

932239 blocking Mozilla user-agents | Matched Data: ; PG found #3725

isniukArte opened this issue May 30, 2024 · 1 comment · Fixed by #3727 or #3735
Assignees
@franbuehler
Labels
➕ False Positive

Comments

@isniukArte
Copy link

Description

We have a lot of absolutely legal requests from real users with User-Agent like this:
Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36

These requests are blocked by 932239 with reason:
Matched Data: ; PG found within REQUEST_HEADERS:user-agent: Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36

How to reproduce the misbehavior (-> curl call)

curl -X GET host.with.pl2.enabled -kL \
-H "User-Agent: Mozilla/5.0 (Linux; Android 14; PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36" \
-H "Host: host.with.pl2.enabled"

Your Environment

  • CRS version (e.g., v3.3.4):4.3.0
  • Paranoia level setting (e.g. PL1) :PL2
  • ModSecurity version (e.g., 2.9.6): ModSecurity v3.0.12 (Linux)
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): ingress-nginx controller v1.10.0
  • Operating System and version: n/a

Confirmation

[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@franbuehler
Copy link
Contributor
franbuehler commented May 30, 2024
edited
Loading

Thank you for your report and sorry for the inconvenience. I can confirm the false positive:

curl -H "x-crs-paranoia-level: 2" -H "x-format-output: txt-matched-rules" -A "Mozilla/5.0 (Linux; Android 14;
PGT-N19 Build/HONORPGT-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/124.0.6367.180 Mobile Safari/537.36" https://
sandbox.coreruleset.org/
932239 PL2 Remote Command Execution: Unix Command Injection found in user-agent or referer header
949110 PL1 Inbound Anomaly Score Exceeded
8000
 (Total Score: 5)
980170 PL1 Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-5-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=5)

Indeed, this user-agent seems to be legit. I don't find an exact match, but two (or more) close examples, where we also find this ; PG as part of the user-agent string:

I think this false positive could be resolved by adding pg or pgt (I'll have to find out) to the file that handles user-agent exclusions for rule 932230.
I can provide a PR for that so that this false positive gets resolved for the next CRS release.

@franbuehler franbuehler self-assigned this Jun 1, 2024
@franbuehler franbuehler mentioned this issue Jun 1, 2024
Merged
@EsadCetiner EsadCetiner mentioned this issue Jun 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@franbuehler franbuehler

Labels
➕ False Positive
Projects
None yet
Milestone
No milestone
2 participants
@franbuehler @isniukArte
0