Rule 390103 Virtual Patch: MyABraCaDaWeb being triggered...

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
pelsner
Forum User
Forum User
Posts: 5
Joined: Wed Oct 19, 2011 1:32 pm
Location: Texas

Rule 390103 Virtual Patch: MyABraCaDaWeb being triggered...

Unread post by pelsner »

Hello.

Recently we are seeing the following rule getting triggered by our software and it hasn't happended before in the past.

[Fri Feb 03 15:22:09 2012] [error] [client 208.180.nn.nnn] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((ht|f)tps?:/|\\\\.\\\\./\\\\.\\\\.)" at ARGS:base. [file "/usr/local/apache/conf/modsec_rules/modsec/99_asl_jitp.conf"] [line "3929"] [id "390103"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: MyABraCaDaWeb base File Inclusion Vulnerabilities"] [severity "CRITICAL"] [hostname "www.bbbbbbbbbbb.com"] [uri "/wcm/index.php"] [unique_id "TyxQAdC0HLYAAA@1WaQAAAAN"]
[Fri Feb 03 15:22:09 2012] [error]

Doing some Googling on MyABraCaDaWeb, says that the server has this software package "MyABraCaDaWeb" installed on it, and it needs to be updated to the latest version. We don't have that installed. I'm thinking this is some false positive, but just want to make sure.

Has anyone else seen this??
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Rule 390103 Virtual Patch: MyABraCaDaWeb being triggered

Unread post by mikeshinn »

Thanks for the question. This is not a false positive. A rule like this is triggered by the bad guys request, not by what is or is not installed on your system. Its the attack on the server that is detected, and the bad guy is looking for a vulnerable install of MyABraCaDaWeb. If you don't have it installed then you aren't vulnerable. If you do have it installed, you are not vulnerable to this attack because the rules are protecting you.

If you want to know why it may be a good idea for you to detect attacks against applications you may not have installed, please see this blog post:

https://atomicorp.com/company/blogs/231-tripwires.html
pelsner
Forum User
Forum User
Posts: 5
Joined: Wed Oct 19, 2011 1:32 pm
Location: Texas

Re: Rule 390103 Virtual Patch: MyABraCaDaWeb being triggered

Unread post by pelsner »

Hi Michael,

Thanks for the information, but the rule is triggered when we or our customers simply use our CMS to save data to the database. The URL will look something like this:

http://www.domainname.tld/index.php?config=edit&save=1

And unless I'm reading the rule wrong (which is highly possible),

SecRule ARGS:base "((ht|f)tps?:/|\.\./\.\.)"

This looks like it will trigger based on anything that has https or ftps in the the URL. (which by the way our customer does not).

Our CMS hasn't changed in a few years and this rule has not been triggered in the past, until just last week. That's the part that has me confused.

Thanks,
Peter

mikeshinn wrote:Thanks for the question. This is not a false positive. A rule like this is triggered by the bad guys request, not by what is or is not installed on your system. Its the attack on the server that is detected, and the bad guy is looking for a vulnerable install of MyABraCaDaWeb. If you don't have it installed then you aren't vulnerable. If you do have it installed, you are not vulnerable to this attack because the rules are protecting you.

If you want to know why it may be a good idea for you to detect attacks against applications you may not have installed, please see this blog post:

https://atomicorp.com/company/blogs/231-tripwires.html
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Rule 390103 Virtual Patch: MyABraCaDaWeb being triggered

Unread post by mikeshinn »

OK, I understand now. So if you believe you have a false positive, then we need some additional information. Please follow the process at this link to report the FP:

https://www.atomicorp.com/wiki/index.ph ... _Positives

Or log into the ASL GUI, and just click the False Positive button for the event.

For real time rules, we will release a fix the same day we get the report. For the delayed/unsupported rules you will see the update approximately 90 days after its released for the real time rules users.
Post Reply