Skip to main content

Search and Top Navigation

#8027 closed bug (wontfix)

Opened January 18, 2012 04:56PM UTC

Closed January 22, 2012 08:01PM UTC

the cookie set by persistent tabs triggers false positive in mod_security

Reported by: neokio Owned by:
Priority: minor Milestone: 1.9.0
Component: ui.tabs Version: 1.8.5
Keywords: Cc:
Blocked by: Blocking:
Description

Mod_Security is an open source intrusion detection and prevention engine. Most web hosts enable it by default, as it saves most people lots of grief. A few weeks ago, my host updated to the latest rule-set.

And now ... jQuery UI Tabs + tab state storage via cookies = Mod_Security "Access Denied". Why? Because the cookie looks like this: "ui-tabs-1=1" which contains 1=1. Any instance of "1=1" in an HTTP request or cookie triggers a "SQL Injection Attack" alarm.

Here is the Apache Mod_Security error:

Message: Access denied with code 406 (phase 2).
Pattern match "\\b(\\d+) ?= ?\\1\\b|[\\'"](\\w+)[\\'"] ?= ?[\\'"]\\2\\b" at REQUEST_HEADERS:Cookie.
[file "/usr/local/apache/conf/modsec2.user.conf"] [line "94"] [id "959901"]
[msg "SQL Injection Attack"] [data "1=1"]
[severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]

Hope this is useful to someone!

Attachments (0)
Change History (2)

Changed January 18, 2012 06:26PM UTC by scottgonzalez comment:1

That seems like a really weak detection. You should probably file a bug with Mod_Security.

Changed January 22, 2012 08:01PM UTC by scottgonzalez comment:2

resolution: → wontfix
status: newclosed

"Fixing" this would be a breaking change. Since the cookie option is being deprecated in 1.9, I don't see a reason to keep this ticket open.