Hello,
I have activated mod_security in Apache 2.2 and as soon as I activated mod_security I started to receive a lot of error messages saying that there are SQL Injection problems in RoundCube (version 0.9). Do you know something about this? Could be there SQL Injection in RoundCube?
Here you have an extract of the log:
error_log.1:[Sat May 18 12:48:22 2013] [error] [client rr.ss.tt.uu] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(/\\\\*!?|\\\\*/|[';]--|--[\\\\s\\\\r\\\\n\\\\v\\\\f]|(?:--[^-]*?-)|([^\\\\-&])#.*?[\\\\s\\\\r\\\\n\\\\v\\\\f]|;?\\\\x00)" at ARGS:_message. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."] [data "Matched Data: -- found within ARGS:_message: xxxxx all\\x0d\\x0a\\x0d\\x0a-- \\x0d\\x0axxxxxxxx\\x0d\\x0a"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "oneserver.com"] [uri "/"] [unique_id "UZdcdgoBbS4AABgASUcAAAAG"]
Thank you very much in advance!
Kind regards,
Agustin.
Quote from: agustin on May 21, 2013, 10:29:29 AM
Matched Data: -- found within ARGS:_message: xxxxx all\\x0d\\x0a\\x0d\\x0a-- \\x0d\\x0axxxxxxxx\\x0d\\x0a
LOL, it takes signature separator in message body as a sql injection attack.
But, is there any SQL Injection risk in round cube or not? Is that a false positive from mod_security?