Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Owncloud and UTM Sophos UTM SQL injection attacks protection

Hello,
We have an Owncloud server Protect with Sophos UTM Web Application Firewall.
Whith the "SQL injection attacks" protection enable I got "Forbidden You don’t have permission to access.. " but only if the Folder name, inside Owncloud, contains the "º" character.

 

LOG:

2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Warning. Pattern match "(?i:(?:union\\\\s*?(?:all|distinct|[(!@]*?)?\\\\s*?[([]*?\\\\s*?select\\\\s+)|(?:\\\\w+\\\\s+like\\\\s+[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98])|(?:like\\\\s*?[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\%)|(?:[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98]\\\\s*?like\\\\W*?[\\"'`\\xc2\\xb4 ..." at ARGS:file. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: \\xc2\\xba/report_mar.p found within ARGS:file: /remote.php/webdav/XPTO 1.\\xc2\\xba/report_mar.pdf"] [severity "CRITICAL"] [tag] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]
2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960024-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-ARGS:file. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=1, XSS=): Last Matched Message: 981245-Detects basic SQL authentication bypass attempts 2/3"] [data "Last Matched Data: .\\xc2\\xba/"] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]
2018:05:29-11:37:17 proxy01-2 httpd[4310]: [security2:error] [pid 4310:tid 4121217904] [client 10.1.23.160] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=1, XSS=): 981245-Detects basic SQL authentication bypass attempts 2/3"] [hostname "cloud.cm-amadora.pt"] [uri "/apps/files_pdfviewer/"] [unique_id "Ww0tXT4cUEQAABDW4tMAAAD7"]
2018:05:29-11:37:17 proxy01-2 httpd: id="0299" srcip="10.1.23.160" localip="62.28.80.70" size="230" user="-" host="10.1.23.160" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=1, XSS=): Last Matched Message: 981245-Detects basic SQL authentication bypass attempts 2/3" exceptions="-" time="47731" url="/apps/files_pdfviewer/" server="cloud.cm-amadora.pt" port="443" query="?file=%2Fremote.php%2Fwebdav%2FXPTO%25201.%25C2%25BA%2Freport_mar.pdf" referer="-" cookie="oc3p37rxzv3a=ci8hmpc0btr5ul86i5n128u5r3; oc_sessionPassphrase=pyOPtBkFGsqJzWZwYW42em5CTKxUsaPIwVv6PcvO1xsas9gMEvEGaNOSvtj5d2LHwha8VMX0fmq0J1sEitEipqj4zP54S8eOjuPeerqnYppO2NvW0Zun7NlPGLTLiac%2F; ocbu6ol8844h=e2jcmv06hfmj2gtvtt4qm2qvd4; HASH_ocbu6ol8844h=0CDB7DF34AC98C9848BE6C4ECCA1DD520EEC69CE; HASH_oc_sessionPassphrase=3A12091C44894F95952670D68B60102C88D64074" set-cookie="-" uid="Ww0tXT4cUEQAABDW4tMAAAD7"

 

Anything I can do besides turn off SQL injection attack protection for that particular Web site?

 

Thank you



This thread was automatically locked due to age.