php ModSecurity:访问被拒绝,代码为 403
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16708385/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
ModSecurity: Access denied with code 403
提问by Chamika
I have enabled mod security for one of my servers how ever if I submit a form with unicode characters it shows the following error in the log and doesn't allow to access the web page.
我已经为我的一台服务器启用了 mod 安全性,但是如果我提交带有 unicode 字符的表单,它会在日志中显示以下错误并且不允许访问网页。
[Wed May 192.168.0.1 2013] [error] [client 192.168.0.1] ModSecurity: Access denied with code 403 (phase 2).
Pattern match "(?i:(?:,.*?[)\\da-f\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98][\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98](?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98].*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|\\Z|[^\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+))|(?:\\Wselect.+\\W*?from)|((? ..." at ARGS:shortDescription. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "209"] [id "981257"] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: , \xe0\xb6\xa1\xe0\xb6\xb1\xe0\xb7\x8a\xe0\xb6\xaf \xe0\xb6\xb6\xe0\xb6\xbd\xe0\xb6\xba\xe0\xb7\x99\xe0\xb6\xb1\xe0\xb7\x8a \xe0\xb6\x91\xe0\xb6\xba \xe0\xb6\xb4\xe0\xb7\x99\xe0\xb6\xbb\xe0\xb7\x85\xe0\xb7\x93\xe0\xb6\xb8\xe0\xb6\xa7 \xe0\xb6\x9a\xe0\xb6\xa7\xe0\xb6\xba\xe0\xb7\x94\xe0\xb6\xad\xe0\xb7\x94 \xe0\xb6\x9a\xe0\xb6\xbb\xe0\xb6\xb1 \xe0\xb6\xb6\xe0\xb7\x80\xe0\xb6\xad\xe0\xb7\x8a \xe0\xb7\x80\xe0\xb7\x92\xe0\xb6\xb4\xe0\xb6\x9a\xe0\xb7\x8a\xe0\xb [hostname "doomain.test.invalid"] [uri "/admin/add_news_article.php"] [unique_id "UZycDtHvchoAAENNXfYAAABR"]
回答by Shuro
If this site is a producive server: run Mod_Security in detection_only modefirst and check the logs for false positives.
如果此站点是生产性服务器:首先在 detection_only 模式下运行 Mod_Security并检查日志是否有误报。
Look in the CRS for the ID:
在 CRS 中查找 ID:
localhost:/etc/modsecurity>grep 981257 *.conf
modsecurity_crs_41_sql_injection_attacks.conf:SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:,.*?[)\da-f\"'`′'‘][\"'`′'‘](?:[\"'`′'‘].*?[\"'`′'‘]|\Z|[^\"'`′'‘]+))|(?:\Wselect.+\W*?from)|((?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*?\(\s*?space\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',id:'981257',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
Looks like you have special characters in your argument shortDescription.
看起来您的论点中有特殊字符shortDescription。
回答by Izzy
Another hint: If you have a rule which provokes a lot of "false positives", you easily can disable it (even specifically for a given path) using the SecRuleRemoveByIdkeyword. Example for the error in your question:
另一个提示:如果您有一个会引发大量“误报”的规则,您可以使用SecRuleRemoveById关键字轻松禁用它(甚至专门针对给定路径)。您问题中的错误示例:
<Directory /var/www/admin>
SecRuleRemoveById 981257
</Directory>
Assumed /var/wwwis the DOCUMENT_ROOTused. This way you can use the complete provided ruleset, but disable single rules where they should not be applied.
假设/var/www是DOCUMENT_ROOT使用。通过这种方式,您可以使用提供的完整规则集,但禁用不应应用的单个规则。
