false positive with mybb
blindpet opened this issue · 5 comments
Installed this to protect mybb and getting a false positive for an sql injection when sending a message with this text
I've tried:
- System > Update Manager > Settings > Enable Community-maintained updates.
- Enable Mono and Mono Testing: Omv > Omv-extras.org > Enable them both and save then apply.
No go, Sonarr doesn't show up.
One guy:
http://forums.openmediavault.org/index.php/Thread/6609-Sonarr-NzbDrone-1-0-Plugin/?postID=78771#post78771
Said to just to enable mono testing and not mono.
I can enable mono and have mono testing disabled. But I can't have mono disabled and have mono testning enable. If I enable testing the other mono enables to.
Varnishlog
- Timestamp ReqBody: 1448830967.845978 0.000147 0.000147
- ReqHeader X-VSF-Body: my_post_key=05559b8cafbc7789f72e7369c8d7e6a8&to=manne&bcc=&subject=Re%3A+Omv+guide&action=do_send&pmid=571&do=reply&options%5Bsavecopy%5D=1&options%5Breadreceipt%5D=1&message=%0D%0AI%27ve+tried%3A%0D%0A-+System+%3E+Update+Manager+%3E+Settings
- ReqHeader X-VSF-Client: [162.158.134.241] forum.htpcguides.com/private.php (Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36)
- ReqUnset Accept-Encoding: gzip
- ReqHeader Accept-Encoding: gzip
- ReqHeader X-VSF-Module: sql
- ReqHeader X-VSF-RuleName: SQL Injection
- ReqHeader X-VSF-RuleID: sql.sql-11
- ReqHeader X-VSF-Rule: sql-sql.sql-11
- ReqHeader X-VSF-Response: Naughty, not nice!
- VCL_return synth
- VCL_call HASH
- VCL_return lookup
- Timestamp Process: 1448830967.846190 0.000359 0.000212
- RespHeader Date: Sun, 29 Nov 2015 21:02:47 GMT
- RespHeader Server: Varnish
- RespHeader X-Varnish: 1540392
- RespProtocol HTTP/1.1
- RespStatus 801
- RespReason Unknown HTTP Status
- RespReason Rejected
- VCL_call SYNTH
- VCL_Log security.vcl alert xid:1540392 HTTP/1.1 [sql-sql.sql-11][162.158.134.241] forum.htpcguides.com/private.php (Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36) (SQL Injection)
- RespStatus 403
- RespReason Forbidden
- RespReason Naughty, not nice!
- RespHeader Content-Type: text/html; charset=utf-8
- RespHeader Retry-After: 5
- VCL_return deliver
- RespHeader Content-Length: 278
- Storage malloc Transient
- Debug "RES_MODE 2"
- RespHeader Connection: keep-alive
- Timestamp Resp: 1448830967.846321 0.000490 0.000130
- ReqAcct 1327 968 2295 210 278 488
- End
Upon further testing it appears to not like the symbols in this text
About Sonarr:
I've tried:
- System > Update Manager > Settings > Enable Community-maintained updates.
- Enable Mono and Mono Testing: Omv > Omv-extras.org > Enable them both and save then apply.
No go, Sonarr doesn't show up.
The rule triggered does not make any sense for this text. Can you explain what symbols it does not like? Perhaps you could capture the POST body in your web browser so we could see how it looks on the wire?
Furthermore, does commenting out sql.vcl rule 11 work around this false positive?
Regards.
Will see if I can do the capture tomorrow.
Disabling rule 11 in sql.encoded does make the problem go away so that's what I've done for now.
ah, it's sql.encoded, that makes more sense, it's "update" followed by
"set". I'm marking the whole ruleset for revamping..
On Mon, Nov 30, 2015 at 1:20 AM, blindpet notifications@github.com wrote:
Will see if I can do the capture tomorrow.
Disabling rule 11 in sql.encoded does make the problem go away so that's
what I've done for now.—
Reply to this email directly or view it on GitHub
#30 (comment).
http://comotion.delta9.pl
http://u.delta9.pl
http://kacper.doesntexist.org
Too much order is its own chaos.
Employ no technique to gain supreme enlightment.
That's another thing while you're at it, the marks for debugging for sql and sql.encoded are the same i believe (at least I looked in sql.rules first based on the logs)