false positive with mybb

[blindpet]

Installed this to protect mybb and getting a false positive for an sql injection when sending a message with this text

I've tried:

- System > Update Manager > Settings > Enable Community-maintained updates.
 - Enable Mono and Mono Testing: Omv > Omv-extras.org > Enable them both and save then apply.

No go, Sonarr doesn't show up.

One guy:
http://forums.openmediavault.org/index.php/Thread/6609-Sonarr-NzbDrone-1-0-Plugin/?postID=78771#post78771

Said to just to enable mono testing and not mono.

I can enable mono and have mono testing disabled. But I can't have mono disabled and have mono testning enable. If I enable testing the other mono enables to.

Varnishlog

-   Timestamp      ReqBody: 1448830967.845978 0.000147 0.000147
-   ReqHeader      X-VSF-Body: my_post_key=05559b8cafbc7789f72e7369c8d7e6a8&to=manne&bcc=&subject=Re%3A+Omv+guide&action=do_send&pmid=571&do=reply&options%5Bsavecopy%5D=1&options%5Breadreceipt%5D=1&message=%0D%0AI%27ve+tried%3A%0D%0A-+System+%3E+Update+Manager+%3E+Settings
-   ReqHeader      X-VSF-Client: [162.158.134.241] forum.htpcguides.com/private.php (Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36)
-   ReqUnset       Accept-Encoding: gzip
-   ReqHeader      Accept-Encoding: gzip
-   ReqHeader      X-VSF-Module: sql
-   ReqHeader      X-VSF-RuleName: SQL Injection
-   ReqHeader      X-VSF-RuleID: sql.sql-11
-   ReqHeader      X-VSF-Rule: sql-sql.sql-11
-   ReqHeader      X-VSF-Response: Naughty, not nice!
-   VCL_return     synth
-   VCL_call       HASH
-   VCL_return     lookup
-   Timestamp      Process: 1448830967.846190 0.000359 0.000212
-   RespHeader     Date: Sun, 29 Nov 2015 21:02:47 GMT
-   RespHeader     Server: Varnish
-   RespHeader     X-Varnish: 1540392
-   RespProtocol   HTTP/1.1
-   RespStatus     801
-   RespReason     Unknown HTTP Status
-   RespReason     Rejected
-   VCL_call       SYNTH
-   VCL_Log        security.vcl alert xid:1540392 HTTP/1.1 [sql-sql.sql-11][162.158.134.241] forum.htpcguides.com/private.php (Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36) (SQL Injection)
-   RespStatus     403
-   RespReason     Forbidden
-   RespReason     Naughty, not nice!
-   RespHeader     Content-Type: text/html; charset=utf-8
-   RespHeader     Retry-After: 5
-   VCL_return     deliver
-   RespHeader     Content-Length: 278
-   Storage        malloc Transient
-   Debug          "RES_MODE 2"
-   RespHeader     Connection: keep-alive
-   Timestamp      Resp: 1448830967.846321 0.000490 0.000130
-   ReqAcct        1327 968 2295 210 278 488
-   End

Upon further testing it appears to not like the symbols in this text

About Sonarr:

I've tried:

- System > Update Manager > Settings > Enable Community-maintained updates.
 - Enable Mono and Mono Testing: Omv > Omv-extras.org > Enable them both and save then apply.

No go, Sonarr doesn't show up.

[comotion]

The rule triggered does not make any sense for this text. Can you explain what symbols it does not like? Perhaps you could capture the POST body in your web browser so we could see how it looks on the wire?

Furthermore, does commenting out sql.vcl rule 11 work around this false positive?

Regards.

[blindpet]

Will see if I can do the capture tomorrow.

Disabling rule 11 in sql.encoded does make the problem go away so that's what I've done for now.

[comotion]

ah, it's sql.encoded, that makes more sense, it's "update" followed by "set". I'm marking the whole ruleset for revamping..

On Mon, Nov 30, 2015 at 1:20 AM, blindpet notifications@github.com wrote:

Will see if I can do the capture tomorrow.

Disabling rule 11 in sql.encoded does make the problem go away so that's what I've done for now.

— Reply to this email directly or view it on GitHub https://github.com/comotion/VSF/issues/30#issuecomment-160485921.

http://comotion.delta9.pl http://u.delta9.pl http://kacper.doesntexist.org Too much order is its own chaos. Employ no technique to gain supreme enlightment.

[blindpet]

That's another thing while you're at it, the marks for debugging for sql and sql.encoded are the same i believe (at least I looked in sql.rules first based on the logs)

[comotion]

That I can do something with, see commit f7dfed1073c2d4bb5015392a2e50b752af926de3.

False positives are bound to happen with rules like this, the procedure is to identify and disable rules that do not fit the application well. Thanks for reporting!