Description

We use the cloudflare proxy, one of the default cloduflare cookies is cf_clearence, the cookie some times use the work gZip and modsecurity rule 932260 block the users:

Log Analysis
Rule triggered: 932260

This rule belongs to the OWASP CRS (Core Rule Set) rule set and is designed to detect attempts to execute Unix commands via parameters or cookies.
A match was found in the REQUEST_COOKIES value, in particular within the cf_clearance cookie.
Matching data:

ModSecurity found "Matched Data: gZIp" within a longer cf_clearance cookie value.
The cf_clearance cookie is generated by Cloudflare to manage security challenges such as DDoS and bot protection. This suggests that the matching data is not malicious, but part of a legitimate identifier.
Message:

The message "Remote Command Execution: Direct Unix Command Execution" suggests that the match might be related to common Unix command patterns (such as gzip, sh, bash, etc.), but here it seems to have been triggered due to an identifier containing strings similar to these patterns.
Severity: "CRITICAL"

Although the rule flags it as critical, matches within automatically generated cookies (such as those from Cloudflare) are often false positives.
Conclusion: Is this a false positive?
Yes, it is very likely a false positive, since:

The match occurs within a legitimate cookie (cf_clearance), automatically generated by Cloudflare.
There is no evidence that the data contains malicious commands or attempts to execute anything on the server.
This type of false positive is common when OWASP CRS rules are set to high paranoia levels.

-->

How to reproduce the misbehavior (-> curl call)

It is easiest for us, if you submit a curl request that triggers your problem.
If you can not do this, then please skip this section but be sure to fill out
the next one in detail.

Please test your curl call against the CRS Sandbox before submitting.
https://coreruleset.org/docs/development/sandbox/
-->

Logs

{
"transaction": {
"unique_id": "wO@5i3iTVbwxCY6m@DA1HQIC",
"time_stamp": "Wed Jan 22 11:01:33 2025",
"client_ip": "2001:818:db6c:c400:7548:4439:1b36:5ec8",
"client_port": 51066,
"host_ip": "82.223.9.93:443",
"host_port": 0,
"request": {
"method": "GET",
"http_version": "HTTP/1.1",
"uri": "/pt/carrinho?action=show",
"headers": {
"host": "%%%%",
"cf-ray": "905eb40e898a03fa-LIS",
"x-forwarded-for": "2001:818:db6c:c400:7548:4439:1b36:5ec8",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8",
"sec-fetch-dest": "document",
"accept-encoding": "gzip, br",
"cf-ipcountry": "PT",
"x-forwarded-proto": "https",
"referer": "%%%%",
"user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.78 Mobile/15E148 Safari/604.1",
"cf-visitor": "{"scheme":"https"}",
"accept-language": "pt-PT,pt;q=0.9",
"sec-fetch-mode": "navigate",
"cf-connecting-ip": "2001:818:db6c:c400:7548:4439:1b36:5ec8",
"priority": "u=0, i",
"sec-fetch-site": "cross-site",
"cdn-loop": "cloudflare; loops=1",
"cookie": "_ga=GA1.1.1534659716.1732878855; _ga_HZQ7LDT626=GS1.1.1737421008.73.0.1737421008.60.1.2109300929; _ga_KLEDLPJ1JM=GS1.1.1737421008.73.0.1737421008.60.0.0; _gcl_au=1.1.1054938630.1732878854.1894262729.1737421009.1737421008; cf_clearance=gZIpkI.MgVrk6YypHAhLQ2WlfpOXfUceXtrxuxKu154-1737421008-1.2.1.1-ZeiAaLmxs0Y2PD7CWtkoy5UMeY4qpnOmtHDlQgYaLyYhdH8Wgs6Kjo8tUCS_YmdxHkBVOnVG7M.9HCA5KUVUUaDwkbHDB8x6Y8OWHt6_Bet0tFtGfLCvfJlGdLY725awtA_cuNg3QJOoUT6bFgycFXvtRIqedl.9iCP9N6s1_G_Sfsy7XxyAVN.CoF5.o.PkFRAoqqd0M_RX9EB_0y91FsGNEYkPeuFIw32frHwoiceO.J_PDdFCsB1GHKtTsj_x39tj1TdvLEOfJBnJnbnn1073gbV811bbX127bdFWeok; PrestaShop-85b5473ccb53750cdc6085e3d5980778=def50200b0cf89032f3dbfac16b6d8d84d3d4750988378b9a2db614cfecbdf58148cece55140789be554e0932dcd22e2facd907cc3a23827d45e882ed80aec02ebe8ea0b1e0c271da8fcca396bed007af93571488a12b27316040ed0e9165979ec78de4a19f9328abcf5246144bd65a5fd16e20245f268d149efc7d57607bfb21b990d3cfbcc5f127d48eb4ad1ab886e0110dbce1f7efe822acc0be679d121232c45ec66d08f165fd1208b6f7182e56511bf7c873511e6943f3db1f6cfcb9916716ccdd6a3326dc13bf1b752cfb10b67d20a28c8c06ae2626ffe6e88af8b1de414d245bbe5d23cec651070cc43f9abeba5d962e7b7f1c0c521e69f566c017a87d54d6adee640107097889d0f3bde51b7597de35ca77006320c797206007e3038a637135c486a19954f91cffd750e80a8ce3255d70c4598e11a67c2353afa8c7d896af4262a6bd03d21b14cc992042b450bcff4a817caa691963db3df04d50cd36938b1d7d1c3c5b918bcf69efb36f9c0e23cb65a91de42ce12c7bc0baa01a3d0a34f723b19392474516ecfb747f7c300380467c220bb885d602a2e102cdcd445b2e7a8bfa783edea764693703c68b3e755cc77ad801230ecabf823609e31c061beaaaedeb5d615e4ec0621e14e542a18426fa6e9ab0719724c49241223fcb3894391528258e380c05b7688fdc0dd67900cbfe052c2b5a606748dd25b444b232b33b60dc3679dda93640c79a53608389d2d4197606087b0b819a639940aa01c36c830cfade88bd898e3ea82e0c5a89684dcad0e9f785b2b0254bca9c7750b542ef43261e2f9a3d225960d62560b4c31a4835bf513f65a1ae3c48fc3905eaf3d9208b8ca560cdfe633e867808add78755a87d816b9032df33d5e2d50b7476d133a4929cd06c49d265378eb5f9bb1946afcb65f5a66b53ad8e013df4bb1486a1d050077431176219e78cb736e1cd4e1dc45ea7b22e413e5ef9dc2ed957ce5733950de49592a4219863705c7463beda8eaccb8b6d31c3e321144f2fcf51a46de6e5fe2f5938344f1e06c000faed61ee7b6d2bf9b05822485859e845cdd43fedd5956b720c8dac294f6d68867199515850d16c8c44eea8d3e57b696cce4f0d4b24ea00bf91e9ef41c8823cb2148969b3936be401f181065b1b126020eb6629c484fbee2f7f518074b0b0741057cfae5711a4e4a95d433a9b484b6e2b3aa8af1b37c9ebba3f13da7b13a0bc6c6131d02c8bb3714bd0a01e9c7d5436f1c8073e4fce0eb90b59ff39b40f79d40f22f193ffa0c777853680d2129812f9073481f3ea27501b9602263869f05c15e33bb654594f8463583dfb4f077e8ab50da2b29f51de5104616ad816f6fe5827ecc97006959776058ec76a4a9d5879a6aae; __cmpcccx84673=aBQLc78HgBQAzADSAGwAcAKAABAAOABcADQAKAAYgA-ACCAIcAkYDiQIkgWBAswBaIEwQJvQUaAqWBVGAOsd9ZRSytXlJPMWe7egggA; __cmpconsentx84673=CQLbVYAQLbVYAAfKhCENBZFgAAAAAAAAAAigF5wAgEeALzAvOACAvMAA; PrestaShop-c8ce14239e43b834c60c5f0a993afef0=def5020063480b8063f9810bef3e6ec5ba1815d6cc12e91863b11e5273bcabadb852f2491206c3767c03bedb1bb3a560801b99d8d90d42f1424816cfe9ec63f6e477fec5a5c6fba156e4003a90ea48f527ef43081ff4e6a299986e1c80187c7d35841b60add290b06e07dfaffabeeb79852e13ac07ed148137a73e2cb1c8840cb1be0ca6d2652cbfaee2ca63e1a84b47effbfa1e4a825540ddff6f83649d7ccb096a1703fa8e0687c058b9c998ea435e032cd37194022a349c0921c3a3ab2107597476e9a114b782f046fb4e9476b2540e802b267eec56eae33717f9043b0198a2; PrestaShop-214e927193d7be86bf814c650ebf44a7=def5020009c70170669ceaa921d8caf43787a0594a2d0a4325b24c3b51e01623ed02e0b0d528c5b6bbba59deb1c3d1d4927f4e19552ea39c2605b85a4d2a04f1c2c2d4ad46ee866ccfe534f5483479e9e3946d38edf0b7e35a0bc6fc925999b697af055f4a4d28f6e97742811552ad1f0219bca01d7b7573c38c0c307ac2fbe8bac4234684cfd7a56218f0cb13d55545f60ced8451153af40dd4885b912942ab6d8c4718e6be4acd4b1f38252829860be6ca29687ea6f171e5c134d33187d89e71abac5a11b61d9cb0ff1cbcb92553f306d5d32d7785cfec5c; PHPSESSID=dmt21e6phpn31r481quvpbf4qv"
}
},
"response": {
"http_code": 406
},
"messages": [
{
"message": "Remote Command Execution: Direct Unix Command Execution",
"details": {
"match": "Matched Operator '@rx (?i)(?:^|b[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?u[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?s[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?y[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?b[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?o[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?x|c[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?o[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?m[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?m[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?a[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?n[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?d|e[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?(?:n[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?v|v[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?a[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?l)|[ls][\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?t[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?r[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?a[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?c[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?e|n[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?o[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?h[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?u[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?p|t[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?i[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?m[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?e(?:[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?o[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?u[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?t)?|w[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?a[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?t[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?c[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?h|[\n\r;=\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]\))[\s\x0b](?:[\$\{]|(?:[\s\x0b]\(|!)[\s\x0b]|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]|\$(?:.|.)|[<>].|'.'|\".\")[\s\x0b]+)[\s\x0b][\"'](?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c](?:a(?:ddgroup|nsible)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:ef[\s\x0b&\)\-<>\|]|g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\x0b&\)<>\|]|proc)|(?:ron|scli)[\s\x0b&\)<>\|])|d(?:iff[\s\x0b&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\x0b&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|er(?:f[\s\x0b&\)<>\|]|l[\s\x0b&\)5<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\x0b&\)<>\|])|tar(?:diff|grep)?|wd\.db|y(?:thon[23]|3?versions))|r(?:(?:bas|ealpat)h|m(?:dir[\s\x0b&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\x0b&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw|sudo)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:c(?:at|mp)|diff|[ef]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))' against variable 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*'",
"ruleId": 932260,
"file": "/etc/modsecurity.d/REQUEST-932-APPLICATION-ATTACK-RCE.conf",
"lineNumber": 538,
"data": "gZIpkI.MgVrk6YypHAhLQ2WlfpOXfUceXtrxuxKu154-1737421008-1.2.1.1-ZeiAaLmxs0Y2PD7CWtkoy5UMeY4qpnOmtHDlQgYaLyYhdH8Wgs6Kjo8tUCS_YmdxHkBVOnVG7M.9HCA5KUVUUaDwkbHDB8x6Y8OWHt6_Bet0tFtGfLCvfJlGdLY725awtA_cuNg3QJOoUT6bFgycFXvtRIqedl.9iCP9N6s1_G_Sfsy7XxyAVN.CoF5.o.PkFRAoqqd0M_RX9EB_0y91FsGNEYkPeuFIw32frHwoiceO.J_PDdFCsB1GHKtTsj_x39tj1TdvLEOfJBnJnbnn1073gbV811bbX127bdFWeok",
"msg": "Remote Command Execution: Direct Unix Command Execution",
"logdata": "Matched Data: gZIp found within gZIpkI.MgVrk6YypHAhLQ2WlfpOXfUceXtrxuxKu154-1737421008-1.2.1.1-ZeiAaLmxs0Y2PD7CWtkoy5UMeY4qpnOmtHDlQgYaLyYhdH8Wgs6Kjo8tUCS_YmdxHkBVOnVG7M.9HCA5KUVUUaDwkbHDB8x6Y8OWHt6_Bet0tFtGfLCvfJlGdLY725awtA_cuNg3QJOoUT6bFgycFXvtRIqedl.9iCP9N6s1_G_Sfsy7XxyAVN.CoF5.o.PkFRAoqqd0M_RX9EB_0y91FsGNEYkPeuFIw32frHwoiceO.J_PDdFCsB1GHKtTsj_x39tj1TdvLEOfJBnJnbnn1073gbV811bbX127bdFWeok: gZIpkI.MgVrk6YypHAhLQ2WlfpOXfUceXtrxuxKu154-1737421008-1.2.1.1-ZeiAaLmxs0Y2PD7CWtkoy5UMeY4qpnOmtHDlQgYaLyYhdH8Wgs6Kj...",
"severity": "CRITICAL",
"tags": [
"application-multi",
"language-shell",
"platform-unix",
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/152/248/88",
"PCI/6.5.2"
]
}
}
]
}
}

-->

Your Environment

• CRS version (e.g., v3.0.13):
• Paranoia level setting (e.g. PL1) :
• ModSecurity version (e.g., 2.9.7):
• Web Server and version or cloud provider / CDN (Litespeed 6.3 / Cloudflare):
• Operating System and version: Almalinux 9

Confirmation

[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.