This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Owncloud and UTM Sophos UTM SQL injection attacks protection

Hello,
We have an Owncloud server Protect with Sophos UTM Web Application Firewall.
Whith the "SQL injection attacks" protection enable I got "Forbidden You don’t have permission to access.. " but only if the Folder name, inside Owncloud, contains the "º" character.

 

LOG:

2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Warning. Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4 ..." at ARGS:file. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\xc2\\xba/report_mar.p found within ARGS:file: /remote.php/webdav/XPTO 1.\\xc2\\xba/report_mar.pdf"] [severity "CRITICAL"] [tag] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]
2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960024-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-ARGS:file. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=1, XSS=): Last Matched Message: 981245-Detects basic SQL authentication bypass attempts 2/3"] [data "Last Matched Data: .\\xc2\\xba/"] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]
2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=1, XSS=): 981245-Detects basic SQL authentication bypass attempts 2/3"] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]
2018:05:29-11:37:17 proxy01-2 httpd: id="0299" srcip="10.1.23.160" localip="62.28.80.70" size="230" user="-" host="10.1.23.160" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=1, XSS=): Last Matched Message: 981245-Detects basic SQL authentication bypass attempts 2/3" exceptions="-" time="47731" url="/apps/files_pdfviewer/" server="cloud.cm-amadora.pt" port="443" query="?file=%2Fremote.php%2Fwebdav%2FXPTO%25201.%25C2%25BA%2Freport_mar.pdf" referer="-" cookie="oc3p37rxzv3a=ci8hmpc0btr5ul86i5n128u5r3; oc_sessionPassphrase=pyOPtBkFGsqJzWZwYW42em5CTKxUsaPIwVv6PcvO1xsas9gMEvEGaNOSvtj5d2LHwha8VMX0fmq0J1sEitEipqj4zP54S8eOjuPeerqnYppO2NvW0Zun7NlPGLTLiac%2F; ocbu6ol8844h=e2jcmv06hfmj2gtvtt4qm2qvd4; HASH_ocbu6ol8844h=0CDB7DF34AC98C9848BE6C4ECCA1DD520EEC69CE; HASH_oc_sessionPassphrase=3A12091C44894F95952670D68B60102C88D64074" set-cookie="-" uid="Ww0tXT4cUEQAABDW4tMAAAD7"

 

Anything I can do besides turn off SQL injection attack protection for that particular Web site?

 

Thank you



This thread was automatically locked due to age.
Parents
  • Hi Joao,

    Instead of disabling the filter for SQL injection, simply add the "id" that you can see inside the log lines in Skip Filter Rules option you can find within the Firewall Profile you use for protecting the virtual server definition.

    2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Warning. Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4 ..." at ARGS:file. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\xc2\\xba/report_mar.p found within ARGS:file: /remote.php/webdav/XPTO 1.\\xc2\\xba/report_mar.pdf"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • Hi Joao,

    Instead of disabling the filter for SQL injection, simply add the "id" that you can see inside the log lines in Skip Filter Rules option you can find within the Firewall Profile you use for protecting the virtual server definition.

    2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Warning. Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4 ..." at ARGS:file. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\xc2\\xba/report_mar.p found within ARGS:file: /remote.php/webdav/XPTO 1.\\xc2\\xba/report_mar.pdf"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children