Rule 390103 Virtual Patch: MyABraCaDaWeb being triggered...
Posted: Fri Feb 03, 2012 5:28 pm
Hello.
Recently we are seeing the following rule getting triggered by our software and it hasn't happended before in the past.
[Fri Feb 03 15:22:09 2012] [error] [client 208.180.nn.nnn] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((ht|f)tps?:/|\\\\.\\\\./\\\\.\\\\.)" at ARGS:base. [file "/usr/local/apache/conf/modsec_rules/modsec/99_asl_jitp.conf"] [line "3929"] [id "390103"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: MyABraCaDaWeb base File Inclusion Vulnerabilities"] [severity "CRITICAL"] [hostname "www.bbbbbbbbbbb.com"] [uri "/wcm/index.php"] [unique_id "TyxQAdC0HLYAAA@1WaQAAAAN"]
[Fri Feb 03 15:22:09 2012] [error]
Doing some Googling on MyABraCaDaWeb, says that the server has this software package "MyABraCaDaWeb" installed on it, and it needs to be updated to the latest version. We don't have that installed. I'm thinking this is some false positive, but just want to make sure.
Has anyone else seen this??
Recently we are seeing the following rule getting triggered by our software and it hasn't happended before in the past.
[Fri Feb 03 15:22:09 2012] [error] [client 208.180.nn.nnn] ModSecurity: Access denied with code 403 (phase 2). Pattern match "((ht|f)tps?:/|\\\\.\\\\./\\\\.\\\\.)" at ARGS:base. [file "/usr/local/apache/conf/modsec_rules/modsec/99_asl_jitp.conf"] [line "3929"] [id "390103"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: MyABraCaDaWeb base File Inclusion Vulnerabilities"] [severity "CRITICAL"] [hostname "www.bbbbbbbbbbb.com"] [uri "/wcm/index.php"] [unique_id "TyxQAdC0HLYAAA@1WaQAAAAN"]
[Fri Feb 03 15:22:09 2012] [error]
Doing some Googling on MyABraCaDaWeb, says that the server has this software package "MyABraCaDaWeb" installed on it, and it needs to be updated to the latest version. We don't have that installed. I'm thinking this is some false positive, but just want to make sure.
Has anyone else seen this??