ModSecurity

guido · Post by **guido** » Sun May 05, 2019 12:49 am

Have some problems with my hosting provider with a php program from v2019
This program is an edit page (with Custom Template) where 12 names and results must be entered.
I get error message error while commincating with the server after 1 or 2 or 3 or more entries.
Response from hosting(Combell Belgium) Modsecurity [msg SQL Injection Attack: SQL operator Detected] found within args: cmd: resetall / '&& sLEEp (3) &&' 1 "
thank you

arbei · Post by **arbei** » Sun May 05, 2019 9:26 am

Do you have "&&" in your input data? Do you want to allow it or not?

guido · Post by **guido** » Sun May 05, 2019 8:53 pm

I suppose it has something to do with characters such as &, &&, -, 'and some more

I see a lot of && in my script formwededit.php.
fformwededit.validate = function () {
<php if ($ formwed_edit-> NR-> Required) {?
class = this getElements ("" x "+ infix +" NR ");
if (elm && 'ew is hidden (elm) &&! ew has.value (elm)
and this for around 90 fields
Could it be that this is the problem or ...

I got log where there is error SQL injection but with uri /ranking/Ranknzlist.php.
in the rest of the logging there is nothing to find from formwededit.php
but it is true that when I want to run that program on Combeel hosting after 1 or 2 attempts error message appears error while commincating to server
So there must be a problem ...
thanks

arbei · Post by **arbei** » Tue May 07, 2019 8:15 am

guido wrote:

Modsecurity [msg SQL Injection Attack: SQL operator Detected] found within args: cmd: resetall / '&& sLEEp (3) &&' 1 "

The error tells you that Modsecurity see '&& sLEEp (3) &&' in the data of the HTTP request and thought it may be SQL Injection attack.

guido wrote:

I see a lot of && in my script formwededit.php.

That is just JavaScript in the source code of the page, it is not the cause of problem if you page is normal. Problem is in the data when you submit the page, not the source code of the page.

You should find out the problem data and handle it. Please answer the follows:
What is '&& sLEEp (3) &&'?
Where does it come from?
Is it from user input?
If it is really part of the source of your script, you should press F12, go to the Elements panel and make sure your HTML in your page is well-formed

guido · Post by **guido** » Wed May 08, 2019 8:17 pm

I asked for more explanation and ...

message hosting provider yesterday

The error messages that we now see are not from SQL injection detection but from "bad robots".
These are bad web crawlers that scan sites for leaks and can have an impact on server performance.
We cannot disable this filter to guarantee the stability of our server. But this has nothing to do with your script.

Today I did a test and suddenly everything works as it should.
Hopefully it will stay that way.

Thank you very much.

arbei · Post by **arbei** » Wed May 08, 2019 9:54 pm

You should not seek disabling web server filter, you should check and find out the problem of your Custom Template. arbei wrote:

guido wrote:

Modsecurity [msg SQL Injection Attack: SQL operator Detected] found within args:
cmd: resetall / '&& sLEEp (3) &&' 1 "

The error tells you that Modsecurity see '&& sLEEp (3) &&' in the
data of the HTTP request and thought it may be SQL Injection attack.

guido wrote:

I see a lot of && in my script formwededit.php.

That is just JavaScript in the source code of the page, it is not the cause of
problem if you page is normal. Problem is in the data when you submit the page, not
the source code of the page.

You should find out the problem data and handle it. Please answer the follows:
What is '&& sLEEp (3) &&'?
Where does it come from?
Is it from user input?
If it is really part of the source of your script, you should press F12, go to the
Elements panel and make sure your HTML in your page is well-formed