Owasp-modsecurity-crs: OWASP Rule ID 951120 False Positive on phpinfo

Created on 8 Aug 2018  路  3Comments  路  Source: SpiderLabs/owasp-modsecurity-crs

Similar to https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1024

We are seeing that a phpinfo page (PHP version 7.0.31) if placed in index.php in some instances is triggering rule 951120.

Here is the text that is matching the regex from a phpinfo page:

https://regex101.com/r/h9HEvS/1

Here is the error (sanitized of IP address and domain)

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client $IP] ModSecurity: Access denied with code 403 (phase 4). Pattern match "(?i)(?:ORA-[0-9][0-9][0-9][0-9]|java\\\\\\\\.sql\\\\\\\\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" at RESPONSE_BODY. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"] [line "33"] [id "951120"] [rev "1"] [msg "Oracle SQL Information Leakage"] [data "Matched Data: Oracle Corporation </td></tr>\\\\x0a<tr><td class=\\\\x22e\\\\x22>ODBC driver for PDO </td><td class=\\\\x22v\\\\x22>Wez Furlong </td></tr>\\\\x0a<tr><td class=\\\\x22e\\\\x22>ODBC </td><td class=\\\\x22v\\\\x22>Stig Bakken, Andreas Karajannis, Frank M. Kromann, Daniel R. Kalowsky </td></tr>\\\\x0a<tr><td class=\\\\x22e\\\\x22>Opcache </td><td class=\\\\x22v\\\\x22>Andi Gutmans, Zeev Suraski, Stanislav Malyshev, Dmitry Stogov, Xinchen Hui </td></tr>\\\\x0a<tr><td class=\\\\x22e\\\\x22>OpenSSL </td><td class=\\\\x22v\\\\x22>Stig Venaas, Wez Furlong, ..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "pla [hostname "$REDACTED"] [uri "/index.php"] [unique_id "W2oizmTxbp9DpCxo849h7AAAAFQ"]

False Positive Stale issue

Most helpful comment

Hmm interesting. In general i'd feel strongly about blocking phpinfo pages as they can be used to make certain vulnerabilities (like LFI) worse, however not like this... we should rectify this issue, probably by adding more information about the oracle error.

All 3 comments

Hmm interesting. In general i'd feel strongly about blocking phpinfo pages as they can be used to make certain vulnerabilities (like LFI) worse, however not like this... we should rectify this issue, probably by adding more information about the oracle error.

@csanders-git maybe we can add a phpinfo finger print and flag this as a particular event (which is usually bad if exposed to internet) and add more details to this rule to avoid false positives as you said.

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

Was this page helpful?
0 / 5 - 0 ratings