Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
Ask a Question

'WEB_ATTACK/LDAP_INJECTION' error with OWASP ModSecurity.

+1 vote
1.4k views
in Q2A Core by

HI i am hosting question2answer on bigrock.There is a serious problem comes when i login as admin and click admin button for admin pannel. After click , admin panel comes but site goes down for next 10 minutes.

Here is the log :

[Fri Apr 17 17:22:25 2015] [error] [client 163.53.86.45] File does not exist: /home/wayto6zu/public_html/403.shtml, referer: http://www.waytocrack.com/blog/forum/index.php?qa=admin&qa_1=general [Fri Apr 17 17:22:25 2015] [error] [client 163.53.86.45] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\\\((?:\\\\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\\\\b\\\\W*?=|[^\\\\w\\\\x80-\\\\xFF]*?[\\\\!\\\\&\\\\|][^\\\\w\\\\x80-\\\\xFF]*?\\\\()|\\\\)[^\\\\w\\\\x80-\\\\xFF]*?\\\\([^\\\\w\\\\x80-\\\\xFF]*?[\\\\!\\\\&\\\\|])" at ARGS:qa_2. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_40_generic_attacks.conf"] [line "65"] [id "950010"] [rev "2"] [msg "LDAP Injection Attack"] [data "Matched Data: ()=!( found within ARGS:qa_2: $&-_~#%\\x5c@^*()=!()][`';:|\\x22.{},<>?# \\xcf\\x80\\xc2\\xa7\\xc2\\xbd\\xd0\\x96\\xd7\\xa9"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/LDAP_INJECTION"] [tag "WASCTC/WASC-29"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "www.waytocrack.com"] [uri "/blog/forum/"] [unique_id "VTFBUWcVOnAADWmoseIAAAAH"]

Q2A version: latest

2 Answers

+3 votes
by

Judging by this:

Matched Data: ()=!( found within...

It looks like it's coming from the test URL used on the URL Structure option - the QA_URL_TEST_STRING constant defined in qa-base.php and used in admin/admin-default.php.

Not sure if there is a way to fix that in Q2A, the whole point of the string is to check that URLs with special characters work.

Do you have LDAP on your server? It's not part of Q2A so the best solution is probably to turn off that security option. You may need to ask your host.

Otherwise you should be able to work around it by commenting out the foreach block at line 984-994 in admin/admin-default.php.

by
Can you please the copy paste the relevant lines of code. It's 1.8 now and I think the lines may have changed?  Thanks.
by
@Akhil the problem was fixed for 1.8, are you still getting this warning?
+1 vote
by

I have disabled ModSecurity from cPanel then this error gone. But not found actual cause behind it. 

by
The issue was fixed years ago...
by
Thanks, Scott, for note. Unfortunately, due unknown reason I am still facing this issue. I am using latest version1.8.5. You can try to add specimen question or answer on my affected site http://doubtsolver.com/ask/
Snow Theme by Q2A Market
Powered by Question2Answer
...