ModSecurity

Sub Zero wrote:
> Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
> ARG("PHPSESSID")
> 
> How do I add ; to the argument seperators?

Put in the character set "!^[0-9a-f;]*$"

Tom

>> Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
>> ARG("PHPSESSID")
>> 
>> How do I add ; to the argument seperators?
>
> Put in the character set "!^[0-9a-f;]*$"

Is this an internal bug of mod_security? Can't I define ; as an argument
seperator like &?

Tom, you can see that adding ; to the characterset will not fix those issues
(because of other parameters in the url like board=10.0 or topic=9.new or
etc) but open more PHPSESSID security vulnerabilities.. I also do not want
to extend a-f to another characterset...

Sub Zero wrote:
>>>Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
>>>ARG("PHPSESSID")
>>>
>>>How do I add ; to the argument seperators?
>>
>>Put in the character set "!^[0-9a-f;]*$"
> 
> 
> Is this an internal bug of mod_security? Can't I define ; as an argument
> seperator like &?
> 
> Tom, you can see that adding ; to the characterset will not fix those issues
> (because of other parameters in the url like board=10.0 or topic=9.new or
> etc) but open more PHPSESSID security vulnerabilities.. I also do not want
> to extend a-f to another characterset...

I see.  I hadn't realized semicolons were valid separators.  It would 
seem that the mod_security argument parsing needs to be modified, as 
semicolons appear to be RFC-compliant and W3C-recommended separators.

http://www.freesoft.org/CIE/RFC/1808/index.htm
http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2
http://www.w3.org/QA/2005/04/php-session

Tom

Tom Anderson wrote:

> I see.  I hadn't realized semicolons were valid separators.  It would 
> seem that the mod_security argument parsing needs to be modified, as 
> semicolons appear to be RFC-compliant and W3C-recommended separators.
> 
> http://www.freesoft.org/CIE/RFC/1808/index.htm
> http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2
> http://www.w3.org/QA/2005/04/php-session

I was reading much the same docs prior to posting a "Why are you using a ; as 
a query separator?" response...

The SGML encoding headache is a fair point. Storing the text "&" inside, 
for instance, an XML file that is parsed and then displayed in a browser can 
leave you having to double escape it as "&". (I believe there are 
several support groups who help people recover from this sort of trauma)

1.9.2 seems to hardcode the "&" character in a couple of places. (is the 
separator normalised at some point?) Is it possible to defer to an outside 
authority for the accepted separator characters by the time mod_sec has hold 
of the query?

If it's possible to alternate between characters in a single request, I 
imagine that this could be used to evade certain rules in much the same way as 
the v0/v1 cookie parsing pitfall:

scripts/script.php?first=1&second=2;payload=evilcode&third=3...


Terry.

> Tom
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live 
> webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

Sub Zero wrote:
>>> Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
>>> ARG("PHPSESSID")
>>>
>>> How do I add ; to the argument seperators?
>> Put in the character set "!^[0-9a-f;]*$"
> 
> Is this an internal bug of mod_security? Can't I define ; as an argument
> seperator like &?

  I wouldn't call it a bug. It's more like a missing feature.


> Tom Anderson wrote:
>
> I see.  I hadn't realized semicolons were valid separators.  It would
> seem that the mod_security argument parsing needs to be modified, as
> semicolons appear to be RFC-compliant and W3C-recommended separators.
>
> http://www.freesoft.org/CIE/RFC/1808/index.htm

  BTW, the RFC you cited does not define the contents of the
  query parameter. The semicolons refer to path parameters, which
  are different (and, as far as I know, not used in HTTP).


> http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2

  Recommendations like that are seldom helpful. Standards
  need to be *very* clear about encodings, with no room
  for interpretation. Otherwise we get in a mess, like,
  for example, with the cookies specifications.


Tom Anderson wrote:
> 1.9.2 seems to hardcode the "&" character in a couple of places.

  It does. I'll probably add support this feature in the
  next release.


-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net