Ticket #8027 (closed bug: wontfix)

Opened 3 years ago

Last modified 3 years ago

the cookie set by persistent tabs triggers false positive in mod_security

Reported by: neokio Owned by:
Priority: minor Milestone: 1.9.0
Component: ui.tabs Version: 1.8.5
Keywords: Cc:
Blocking: Blocked by:

Description

Mod_Security is an open source intrusion detection and prevention engine. Most web hosts enable it by default, as it saves most people lots of grief. A few weeks ago, my host updated to the latest rule-set.

And now ... jQuery UI Tabs + tab state storage via cookies = Mod_Security "Access Denied". Why? Because the cookie looks like this: "ui-tabs-1=1" which contains 1=1. Any instance of "1=1" in an HTTP request or cookie triggers a "SQL Injection Attack" alarm.

Here is the Apache Mod_Security error:

Message: Access denied with code 406 (phase 2).
Pattern match "\b(\d+) ?= ?\1\b|[\'"](\w+)[\'"] ?= ?[\'"]\2\b" at REQUEST_HEADERS:Cookie.
[file "/usr/local/apache/conf/modsec2.user.conf"] [line "94"] [id "959901"]
[msg "SQL Injection Attack"] [data "1=1"]
[severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]

Hope this is useful to someone!

Change History

comment:1 Changed 3 years ago by scott.gonzalez

That seems like a really weak detection. You should probably file a bug with Mod_Security.

comment:2 Changed 3 years ago by scott.gonzalez

  • Status changed from new to closed
  • Resolution set to wontfix

"Fixing" this would be a breaking change. Since the cookie option is being deprecated in 1.9, I don't see a reason to keep this ticket open.

Note: See TracTickets for help on using tickets.