back to phpList.org

Mod_security tagging kcfinder/browse.php as sql injection

Hello, I’m not a mod_security expert but whenever I use phplist and kceditor on my server which is running mod_security, it blocks my ip address with the following code. Maybe someone can provide some insight into this:

Log entries:

[Fri Nov 01 13:35:30.185176 2019] [:error] [pid 30094] [client xx.xxx.xx.xx:41114] ModSecurity: Access denied with code 403 (phase 2). detected SQLi using libinjection with fingerprint ‘nof(1’ [file “/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf”] [line “43”] [id “942100”] [rev “1”] [msg “SQL Injection Attack Detected via libinjection”] [data “Matched Data: nof(1 found within ARGS:file:now(1).png”] [severity “CRITICAL”] [ver “OWASP_CRS/3.0.0”] [maturity “1”] [accuracy “8”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-sqli”] [tag “OWASP_CRS/WEB_ATTACK/SQL_INJECTION”] [tag “WASCTC/WASC-19”] [tag “OWASP_TOP_10/A1”] [tag “OWASP_AppSensor/CIE1”] [tag “PCI/6.5.2”] [hostname “xxx.xxxx.com”] [uri “/lists/admin/plugins/CKEditorPlugin/kcfinder/browse.php”] [unique_id “Xbxs4n-P6bkAcqPW13QNCwAAAAk”], referer: https://xxx.xxxx.com/lists/admin/plugins/CKEditorPlugin/kcfinder/browse.php?opener=ckeditor&type=image&CKEditor=message&CKEditorFuncNum=1&langCode=en