We had a client that reported an issue with a customer getting a 403 error and then not being able to access the site. They were entering a value into a form that turned out was getting their IP banned, I'm guessing because it was being falsely flagged as a SQL injection attack. We have been able to replicate this by searching for the value that they had entered.
This is the value that was being passed by the form that also results in getting banned when searched:
4601 CVR 36'' x 96'' US26d'’ MLRXLM
There are several issues with this search phrase, including the right single quote mark (hex character 0x92) included after the apostraophe after US26d, plus the person using two apostrophes to search for inches instead of a double quote. After a bit of trial and error and testing I found that the cause of the flag is having two single quotes (apostrophes) followed by any text and then a third single quote (apostrophe) in the search term. So something like this also causes the ban:
''test'
or
''test''
or
36'' x 96''
However, these don't cause the ban:
'''
'test''
Is this something that can be handled since they are legitimate (if poorly formed) search terms and not SQL injection attacks? Or do we just have to tell the client that their customer entered invalid characters that were flagged as a security risk and hope they can educate their users better?
