What were you trying to do that didn't work?

A form data, "鹿沼市御成橋"(a name of street/city in Japanese) is forbade by mod_security_crs-3.3.4-3.el8.noarch

Please provide the package NVR for which the bug is seen:

mod_security_crs-3.3.4-3.el8.noarch

How reproducible is this bug?:

1. Install mod_security_crs-3.3.4-3.el8.noarch and add "SecStatusEngine On" in /etc/httpd/conf.d/mod_security.conf

~~~ /etc/httpd/conf.d/mod_security.conf
<IfModule mod_security2.c>
SecStatusEngine On
...
~~~

2. Make test form html.
~~~
cat << 'EOF' > /var/www/html/test-form.html
<form method="POST" action="test.html">
<input type="text" name="testdata">
<button>ok</button>
</form>
EOF
echo test > /var/www/html/test.html
~~~

3. Access to http://webserver/test-form.html and input "鹿沼市御成橋" and push ok button. 

[Mon Feb 10 20:22:06.092310 2025] [:error] [pid 10118:tid 140302354282240] [client 192.168.122.69:58840] [client 192.168.122.69] ModSecurity: Warning. Pattern match "^\\\\d.:+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.122.249"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "192.168.122.249"] [uri "/test-form.html"] [unique_id "Z6qmPqU@KiYMyTKHSJYGAAAAAIA"]
[Mon Feb 10 20:25:35.838619 2025] [:error] [pid 10118:tid 140302329104128] [client 192.168.122.69:58875] [client 192.168.122.69] ModSecurity: Warning. Pattern match "^\\\\d.:+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.122.249"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "192.168.122.249"] [uri "/test.html"] [unique_id "Z6qnD6U@KiYMyTKHSJYGAQAAAIM"], referer: http://192.168.122.249/test-form.html
[Mon Feb 10 20:25:35.839006 2025] [:error] [pid 10118:tid 140302329104128] [client 192.168.122.69:58875] [client 192.168.122.69] ModSecurity: Warning. Pattern match "[^\\\\xe4]\\\\xbc[^\\\\x9a][^\\\\xbe>][^\\\\xe7][^\\\\xa4]\\\\xbe>|<[^\\\\xbe][^\\\\xe7][^\\\\xa4]\\\\xbe" at ARGS:testdata. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \\xbc\\xe5\\xb8\\x82\\xe5\\xbe found within ARGS:testdata: \\xe9\\xb9\\xbf\\xe6\\xb2\\xbc\\xe5\\xb8\\x82\\xe5\\xbe\\xa1\\xe6\\x88\\x90\\xe6\\xa9\\x8b"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "192.168.122.249"] [uri "/test.html"] [unique_id "Z6qnD6U@KiYMyTKHSJYGAQAAAIM"], referer: http://192.168.122.249/test-form.html
[Mon Feb 10 20:25:35.839145 2025] [:error] [pid 10118:tid 140302329104128] [client 192.168.122.69:58875] [client 192.168.122.69] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "153"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.122.249"] [uri "/test.html"] [unique_id "Z6qnD6U@KiYMyTKHSJYGAQAAAIM"], referer: http://192.168.122.249/test-form.html
[Mon Feb 10 20:25:35.839267 2025] [:error] [pid 10118:tid 140302329104128] [client 192.168.122.69:58875] [client 192.168.122.69] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line "92"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 8, 0, 0, 0"] [ver "OWASP_CRS/3.3.4"] [tag "event-correlation"] [hostname "192.168.122.249"] [uri "/test.html"] [unique_id "Z6qnD6U@KiYMyTKHSJYGAQAAAIM"], referer: http://192.168.122.249/test-form.html

4. Access to http://webserver/test-form.html and input "会社" and push ok button.

[Mon Feb 10 20:28:40.020916 2025] [:error] [pid 10118:tid 140302303926016] [client 192.168.122.69:58893] [client 192.168.122.69] ModSecurity: Warning. Pattern match "^\\\\d.:+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "192.168.122.249"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "192.168.122.249"] [uri "/test.html"] [unique_id "Z6qnyKU@KiYMyTKHSJYGAgAAAIY"], referer: http://192.168.122.249/test-form.html

Expected results

These characters should not be banned.

Actual results

The combination of these three kanji "沼市御" is prohibited. The characters themselves have no practical meaning, but the combination "鹿沼市御成橋"(a name of city/street in Japanese) is a common place name, which is often used.

 
$ echo -e '\xe9\xb9\xbf\xe6\xb2\xbc\xe5\xb8\x82\xe5\xbe\xa1\xe6\x88\x90\xe6\xa9\x8b'
鹿沼市御成橋

$ echo -e '\xe6\xb2\xbc\xe5\xb8\x82\xe5\xbe\xa1'
沼市御