Search code examples
regexapachecookiesmod-security

what is this regex mod_security rule doing?

I can't read regex for the life of me.
Anyone got a sec to help me figure out why mod_security is getting triggered all of a sudden with my hosts last update?

I'm getting this mod_security error:

Message: Access denied with code 406 (phase 2). Pattern match "\b(\d+) ?= ?\1\b|[\'"](\w+)[\'"] ?= ?[\'"]\2\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "94"] [id "959901"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]

Here is one of the cookies logged that generated this error:

Cookie: pmr=9d800ab159baf3962d1c777225b4b632; pmr_referrer=http%3A%2F%2Frateyourmusic.com%2Fadmin%2Fcoraq%2F%3F1%3D1%26status%3Dw%26show%3D10%26start%3D7020; __utma=229707933.920390620.1326769663.1326769663.1326769663.1; __utmb=229707933.1.10.1326769663; __utmc=229707933; __utmz=229707933.1326769663.1.1.utmcsr=rateyourmusic.com|utmccn=(referral)|utmcmd=referral|utmcct=/admin/corq/

Is this triggering because "admin" is in the cookie???

Here's another ...

Cookie: ui-tabs-1=1; superBAGUS=af14474b9bcc7ec3ae436e58ba172520; superBAGUS_referrer=...; superBAGUS_admin=2%3A747167a9cd89703dbfafe3c7a5c523b4; acco=acco_1; superBAGUS_adviews=.2576.2580.; __utma=10910262.1479346800.1326871079.1326871079.1326873539.2; __utmb=10910262.10.8.1326873800604; __utmc=10910262; __utmz=10910262.1326871079.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Is this triggering because "ui-tabs-1=1" looks like a 1=1 injection???

What exactly is this pattern matching on?

Solution

  • The regex doesn't match the first pattern, so I can't tell what might be wrong.

    But it does match the 1=1 section of the second pattern, so your assumption is correct.

    Explanation of the regex:

    \b             # Assert position at the start of an alphanumeric "word"
(\d+)          # Match a number
 ?= ?          # Match =, optionally surrounded by spaces
\1             # Match the same number as before
\b             # Assert position at the end of an alphanumeric "word"
|              #  or
['"](\w+)['"]  # Match a quoted "word"
 ?= ?          # Match =, optionally surrounded by spaces
['"]\2\b       # Match a quote and the same word as before.