Hello,
We have an Owncloud server Protect with Sophos UTM Web Application Firewall.
Whith the "SQL injection attacks" protection enable I got "Forbidden You don’t have permission to access.. " but only if the Folder name, inside Owncloud, contains the "º" character.
LOG:
2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Warning. Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4 ..." at ARGS:file. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\xc2\\xba/report_mar.p found within ARGS:file: /remote.php/webdav/XPTO 1.\\xc2\\xba/report_mar.pdf"] [severity "CRITICAL"] [tag] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]
2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960024-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-ARGS:file. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=1, XSS=): Last Matched Message: 981245-Detects basic SQL authentication bypass attempts 2/3"] [data "Last Matched Data: .\\xc2\\xba/"] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]
2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=1, XSS=): 981245-Detects basic SQL authentication bypass attempts 2/3"] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]
2018:05:29-11:37:17 proxy01-2 httpd: id="0299" srcip="10.1.23.160" localip="62.28.80.70" size="230" user="-" host="10.1.23.160" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=1, XSS=): Last Matched Message: 981245-Detects basic SQL authentication bypass attempts 2/3" exceptions="-" time="47731" url="/apps/files_pdfviewer/" server="cloud.cm-amadora.pt" port="443" query="?file=%2Fremote.php%2Fwebdav%2FXPTO%25201.%25C2%25BA%2Freport_mar.pdf" referer="-" cookie="oc3p37rxzv3a=ci8hmpc0btr5ul86i5n128u5r3; oc_sessionPassphrase=pyOPtBkFGsqJzWZwYW42em5CTKxUsaPIwVv6PcvO1xsas9gMEvEGaNOSvtj5d2LHwha8VMX0fmq0J1sEitEipqj4zP54S8eOjuPeerqnYppO2NvW0Zun7NlPGLTLiac%2F; ocbu6ol8844h=e2jcmv06hfmj2gtvtt4qm2qvd4; HASH_ocbu6ol8844h=0CDB7DF34AC98C9848BE6C4ECCA1DD520EEC69CE; HASH_oc_sessionPassphrase=3A12091C44894F95952670D68B60102C88D64074" set-cookie="-" uid="Ww0tXT4cUEQAABDW4tMAAAD7"
Anything I can do besides turn off SQL injection attack protection for that particular Web site?
Thank you
This thread was automatically locked due to age.