Apache/PHP mod_security: session hijacking false positive with session_start() -

-

I'm using it for it seems to be a false positive ...

Index.php 

  if (session_id () == '') session_start ();

main request 

  accept text / html, application / xhtml + xml, application / xml; Q = 0.9, * /*;q=0.8 Connection Keep-alive Cookie PHPSESSID = o2aaf0uti8pmah63t92ssvkqv0 Host www.test.com User-Agent Mozilla / 5.0 (Windows NT 6.0, RV: 28.0) Lizard / 20,100,101 Firefox / 28.0 < / Code>

error.log 

  [Mon Apr 20 20: 11: 37.346379 2014] [: Error] [pid 5312: 1700 ] [Client 127.0.0.1] Mode Security: Entry is denied by 403 code (step 1). Operator matched in the EQ1 session: IS_NEW [file "C: /apache/conf/crs/optional_rules/modsecurity_crs_16_session_hijacking.conf"] [line "24"] [id "981,054"] [host name "www.test.com" ] [Message "Invalid SessionID submission."] [Uri "/"] [unique_id "U16Z2cCoAQkAABTAnDUAAACV"]

modsecurity_crs_16_session_hijacking.conf 

  SecRule REQUEST_COOKIES: '/ (J.D. (ID | Token) | SID) /' ' * "" Series, step: 1, id: '981,054', none: block, log in, message: 'invalid SessionID submission.', Setsid:% {matched_var}, setVar: tx.sessionid =% { Matched_var}, skipAfter: END_SESSION_STARTUP "SecRule session: IS_NEW" @eq 1 "". T: None, setVar: tx.anomaly_score = +% {tx.critical_anomaly_score}, setVar: tx% {rule.id} -WEB_ATTACK / INVALID_SESSIONID -% {matched_var_name} =% {tx.0} " < / Pre> 
  httpd.conf  
 
  LoadModule unique_id_module module / mod_unique_id.so LoadModule security2_module module / mod_security2.so & lt; IfModule security2_module & gt; SecRuleEngine at SecRequestBodyAccess Close conf / crs / modsecurity_crs_10_setup.conf conf / crs / optional_rules / modsecurity_crs_16_session_hijacking.conf & lt; / ifModule>


Comments

Post a Comment

Popular posts from this blog

import - Python ImportError: No module named wmi -

-
I followed the instructions for downloading WMI for Python When I try to run the code for C.Win32_Service (StartMode = "Auto", state = "Stopped") import wmi c = wmi.WMI (): if Raw_input ("restart% s?"% S.Caption) .upper () == "Y": s.StartService () I got the error traceback (most recent call end): file ". \", Line 1, edit: I am using Python 2.7.6 EDIT2: I am running 64-bit Windows 2008 R2, and I've downloaded WMI-1.4.9.zip (md5). I removed the content and put it in D: Python \ Tools \ Scripts I executed dragon setup.py.install I said D : \ Python \ tools \ scripts to% PATH% and when I execute the code for C.Win32_Service (StartMode = "Auto", state = "Stopped") import wmi c = Wmi.WMI (): If raw_input ("Restart% s?"% S. Caption). () == "Y": s.StartService () error me Gets traceback (most recent call final): File ". See \", line 1, & lt; Modu...
Read more

Editing Python Class in Shell and SQLAlchemy -

-
I am working on the terminal on a shell script after this tutorial SQLAlchemy tutorial. I need to type gt; & Gt; & Gt; Sqlalchemy import column, integer, string & gt; & Gt; & Gt; Class user (base): __tablename__ = 'users' id = column (integer, primary_key = true) name = column (string) absolute name = column (string) password = column (string) def __repr __ (self): return "& lt ; User (name = '% s', absolute name = '% s', password = '% s') & gt; "% (Self.name, self.fullname, self.password) After the problem I have typed the password = column (string) I hit twice and changed .... >> I then took everything back but then an error was thrown because the class already exists ... I am not completely sure how to fix it. How do I open that slip in the shell script and edit it (Add DF to DRR) The error thrown below: / user / giripeters / TFSQLLX / Lib / python2.7 / site-packages / sqlalchemy / ext / decla...
Read more

lua - HowTo create a fuel bar -

-
I would like to create a fuel bar (empty with full tank). When the user touches the screen, the fuel once Dairejh these is my code: lifeBar = display.newImage ( "fuel_bar1.png") lifeBar.anchorX = 0 lifeboats. ======================== Lifetime Y = 37 screens Group: The Insert function (called Laifbar) However, I fuel Kansmoshn (equivalent to "pressed" variable to reduce the fuel tank "true") Have used. When pressed == is true, it means that the user is touching the screen: processed (fuel) processed () if life & gt; 0 and pressed == true remains = life - life 1 Life = life =. Wide-1 remains Value.text = string.format ("% d", life) End of this This function is active as the entrance event: runtime: addEventListener ( "Antrfrem" fuel Snsadna) it is very well, but my question is: pressed variable each time 5 seconds (once = = True) How is it possible to reduce the vitality width? I tried to add it to my touch even...
Read more