Home/ Questions/Q 3663
Jesson Holder
Asked: 2022-10-15T07:43:30+00:00

US-ASCII Malformed Encoding XSS Filter – Attack Detected – false alarm while using SUMMERNOTE with Polish characters

0

I use summernote to put some formatted text into a database. When I put a text without Polish characters or with just a few, it works fine, but when I use more Polish characters I got an error message from php script [HTTP/1.1 403 Forbidden 24ms].

I reviewed /var/log/httpd/modsec_audit.log file and I found these warnings/errors:

Message: Warning. Pattern match “\xbc[^\xbe>][\xbe>]|<[^\xbe]\xbe” at ARGS:opis. [file “/etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf”] [line “546”] [id “941310”] [msg “US-ASCII Malformed Encoding XSS Filter – Attack Detected”] [data “Matched Data: \xbcno\xc5\x9bci od tego jak doprawiony jest bulion. zup\xc4\x99 ju\xc5\xbc na talerzu mieszamy z oliwa.
found within ARGS:opis: warzywa zalewamy bulionem warzywnym. gotujemy do mi\xc4\x99kko\xc5\x9bci, miksujemy, solimy w zale\xc5\xbcno\xc5\x9bci od tego jak doprawiony jest bulion. zup\xc4\x99 ju\xc5\xbc na talerzu mieszamy z oliwa.
“] [severity “CRITICAL”] [ver “OWASP_CRS/3.3.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-tomcat”] [tag “attack-xss”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/152/242”] Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file “/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf”] [line “93”] [id “949110”] [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [severity “CRITICAL”] [ver “OWASP_CRS/3.3.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-generic”] Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file “/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf”] [line “91”] [id “980130”] [msg “Inbound Anomaly Score Exceeded (Total Inbound Score: 5 – SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0”] [ver “OWASP_CRS/3.3.0”] [tag “event-correlation”] Apache-Error: [file “apache2_util.c”] [line 273] [level 3] [client 192.168.101.12] ModSecurity: Warning. Pattern match “\\\\xbc[^\\\\xbe>][\\\\xbe>]|<[^\\\\xbe]\\\\xbe” at ARGS:opis. [file “/etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf”] [line “546”] [id “941310”] [msg “US-ASCII Malformed Encoding XSS Filter – Attack Detected”] [data “Matched Data: \\xbcno\\xc5\\x9bci od tego jak doprawiony jest bulion. zup\\xc4\\x99 ju\\xc5\\xbc na talerzu mieszamy z oliwa.
found within ARGS:opis: warzywa zalewamy bulionem warzywnym. gotujemy do mi\\xc4\\x99kko\\xc5\\x9bci, miksujemy, solimy w zale\\xc5\\xbcno\\xc5\\x9bci od tego jak doprawiony jest bulion. zup\\xc4\\x99 ju\\xc5\\xbc na talerzu mieszamy z oliwa.
“] [severity “CRITICAL”] [ver “OWASP_CRS/3.3.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-tomcat”] [tag “attack-xss”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/152/242”] [hostname “somehostname.pl”] [uri “/somescript.php”] [unique_id “Y0peIxMWSyQpE@SPNKJmngAAAAs”]

There are more messages…

As I understand this is some kind of false alarm from apache2 mod_security. Can you please advice on how to solve this issue and keep mod_security ON in the same time (if possible).

Thanks

us-ascii malformed encoding xss filter - attack detected - false alarm while using summernote with polish characters
Share

Leave an answer

You must login to add an answer.

Need An Account,