2. Programming Q&A
  3. apache - Modsecurity access denied question, I bypassed the rule but would like to know what this error means - Stack Overflow

apache - Modsecurity access denied question, I bypassed the rule but would like to know what this error means - Stack Overflow

admin2025-05-01  0

Is there something in the cookie that triggers this rule? Any help will be much appreciated, thanks!

[client 24.175.237.235] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_first. [file "/etc/apache2/modsecurity.d/rules/comodo_free/22_SQL_SQLi.conf"] [line "64"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||xxx.xxx|F|2"] [data "Matched Data: tct=(none) found within REQUEST_COOKIES:sbjs_first: typ=typeinsrc=(direct)mdm=(none)cmp=(none)cnt=(none)trm=(none)id=(none)plt=(none)fmt=(none)tct=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "xxx.xxx"] [uri "/wp-admin/"] [unique_id "Z3bpos2DNUB6e_P0DPVLigAAANQ"]

Is there something in the cookie that triggers this rule? Any help will be much appreciated, thanks!

[client 24.175.237.235] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\[\\\\]\\\\x22',()\\\\.]{10}$|\\\\b(?:union\\\\sall\\\\sselect\\\\s(?:(?:null|\\\\d+),?)+|order\\\\sby\\\\s\\\\d{1,4}|(?:and|or)\\\\s\\\\d{4}=\\\\d{4}|waitfor\\\\sdelay\\\\s'\\\\d+:\\\\d+:\\\\d+'|(?:select|and|or)\\\\s(?:(?:pg_)?sleep\\\\(\\\\d+\\\\)|\\\\d+\\\\s?=\\\\s?(?:dbms_pipe\\\\.receive_message\\\\ ..." at REQUEST_COOKIES:sbjs_first. [file "/etc/apache2/modsecurity.d/rules/comodo_free/22_SQL_SQLi.conf"] [line "64"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||xxx.xxx.com|F|2"] [data "Matched Data: tct=(none) found within REQUEST_COOKIES:sbjs_first: typ=typeinsrc=(direct)mdm=(none)cmp=(none)cnt=(none)trm=(none)id=(none)plt=(none)fmt=(none)tct=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "xxx.xxx.com"] [uri "/wp-admin/"] [unique_id "Z3bpos2DNUB6e_P0DPVLigAAANQ"]
  • apache
  • mod-security
Share Improve this question asked Jan 2 at 19:48 iamdamnsamiamdamnsam 334 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 0

You can see the original value of the cookie in line's data field:

[data "Matched Data: tct=(none) found within REQUEST_COOKIES:sbjs_first: typ=typeinsrc=(direct)mdm=(none)cmp=(none)cnt=(none)trm=(none)id=(none)plt=(none)fmt=(none)tct=(none)"]

I don't know the rule itself, but if you think this cookie has a valid content, you should make an exclusion.

转载请注明原文地址:http://anycun.com/QandA/1746099638a91660.html