SQL Injection in RoundCube 0.9??

agustin · May 21, 2013, 10:29:29 AM

Hello,

I have activated mod_security in Apache 2.2 and as soon as I activated mod_security I started to receive a lot of error messages saying that there are SQL Injection problems in RoundCube (version 0.9). Do you know something about this? Could be there SQL Injection in RoundCube?

Here you have an extract of the log:

error_log.1:[Sat May 18 12:48:22 2013] [error] [client rr.ss.tt.uu] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(/\\\\*!?|\\\\*/|[';]--|--[\\\\s\\\\r\\\\n\\\\v\\\\f]|(?:--[^-]*?-)|([^\\\\-&])#.*?[\\\\s\\\\r\\\\n\\\\v\\\\f]|;?\\\\x00)" at ARGS:_message. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."] [data "Matched Data: -- found within ARGS:_message: xxxxx all\\x0d\\x0a\\x0d\\x0a-- \\x0d\\x0axxxxxxxx\\x0d\\x0a"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "oneserver.com"] [uri "/"] [unique_id "UZdcdgoBbS4AABgASUcAAAAG"]

Thank you very much in advance!

Kind regards,

Agustin.

alec · May 22, 2013, 03:26:30 AM

Quote from: agustin on May 21, 2013, 10:29:29 AM
Matched Data: -- found within ARGS:_message: xxxxx all\\x0d\\x0a\\x0d\\x0a-- \\x0d\\x0axxxxxxxx\\x0d\\x0a

LOL, it takes signature separator in message body as a sql injection attack.

agustin · May 22, 2013, 11:56:33 AM

But, is there any SQL Injection risk in round cube or not? Is that a false positive from mod_security?

SQL Injection in RoundCube 0.9??

agustin

alec

agustin