Search and Top Navigation
#8027 closed bug (wontfix)
Opened January 18, 2012 04:56PM UTC
Closed January 22, 2012 08:01PM UTC
the cookie set by persistent tabs triggers false positive in mod_security
| Reported by: | neokio | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | 1.9.0 |
| Component: | ui.tabs | Version: | 1.8.5 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Mod_Security is an open source intrusion detection and prevention engine. Most web hosts enable it by default, as it saves most people lots of grief. A few weeks ago, my host updated to the latest rule-set.
And now ... jQuery UI Tabs + tab state storage via cookies = Mod_Security "Access Denied". Why? Because the cookie looks like this: "ui-tabs-1=1" which contains 1=1. Any instance of "1=1" in an HTTP request or cookie triggers a "SQL Injection Attack" alarm.
Here is the Apache Mod_Security error:
Message: Access denied with code 406 (phase 2). Pattern match "\\b(\\d+) ?= ?\\1\\b|[\\'"](\\w+)[\\'"] ?= ?[\\'"]\\2\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "94"] [id "959901"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
Hope this is useful to someone!
Attachments (0)
Change History (2)
Changed January 18, 2012 06:26PM UTC by comment:1
Changed January 22, 2012 08:01PM UTC by comment:2
| resolution: | → wontfix |
|---|---|
| status: | new → closed |
"Fixing" this would be a breaking change. Since the cookie option is being deprecated in 1.9, I don't see a reason to keep this ticket open.
That seems like a really weak detection. You should probably file a bug with Mod_Security.