For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

haritan_132923's avatar
haritan_132923
Icon for Nimbostratus rankNimbostratus
Sep 04, 2013

BIG-IP false SQL injection alarm when trying to update a Wordpress page

Hi all, first of all, I am not sure if I ask this question in the right forum. Please direct me to the right one if this is not the place to ask this question.

 

I host my Wordpress-based website with a hosting provider that uses F5 BIG-IP for web application firewall and I have a regular false alarm when trying to update a page through Wordpress admin. The firewall detects an SQL injection on certain pages. On a certain page where alarm was triggered, I tried to nail down which word/characters that caused that. It turned out to be a ")" character. But using this character in other part of page content will not trigger anything and update went successfully.

 

My hosting provider could not provide any suggestion other than asking me whether I would like to disable the rule and allow it to pass. I am not comfortable to disable the rule since I don't know yet what actually triggered this.

 

Any suggestion or hint on how to find out what exactly caused this? Thank you.

 

security

3 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Sep 04, 2013

    it might help if you ask the hosting provider the exact ASM violation, that might help a little.

     

    the issue probably is that the combination of your ")" together with the rest of the query constructs something the ASM sees as a possible SQL injection. silly example: the ASM look for: select from () and your ) completes a select from ( in the wordpress code thereby triggering the signature.

     

    you just disable one signature, so the effect should be limited.

     

  • haritan_132923's avatar
    haritan_132923
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2013

    Hi boneyard, thank you for your reply. Attached is the attack details. If you can let me know your further thought having seen the details.

     

    Just want to clarify, this detection is done way before it hits PHP, is that correct? In which case it has nothing to do with bad code, doesn't it?

     

    Thank you.

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Sep 05, 2013

    200002149; SQL-INJ expressions like "and 1=1" (5). so it somewhere finds a string that looks like and 1=1 which is a common trick in SQL injection attacks.

     

    the ASM is in front of your webserver, so it gets the data send to the webserver. so that is before PHP does something with it, but php probably did create the page where you entered the data.

     

    as this signature is parameter based you could also just exclude it for the content parameter and have it active on all other parameters.