Re: [mod-security-users] how to resolve this problem? v1.9.4 question.(Again)
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2007-11-20 17:28:06
|
See comments inline... gyo...@hi... wrote: > Sorry, > I missed modsecurity debug log in the last mail. > please see this one. > > Everyone, > > I have sticked at this problem. > Help is greatly appreciated. > > The part of modsecurity debug log > ######## > [20/Nov/2007:15:40:59 +0900] [localhost/sid#3dc320][rid#29f8830][/securitytest.html][2] Checking signature "(\"|\\').*[<>]|<[\\s]*input" at ARGS_SELECTIVE > [20/Nov/2007:15:40:59 +0900] [localhost/sid#3dc320][rid#29f8830][/securitytest.html][4] Checking against "hid_RouteValue='1;;\x8c\xe4\x92\x83\x83m\x90\x85\x81i\x82i\x82q\x81j;\x8fH\x97t\x8c\xb4;2007/11/16;09:01;2007/11/16;09:03;\x95\x81\x92\xca;JR;\x82i\x82q\x91\x8d\x95\x90\x90\xfc\x8ae\x92\xe2\x89\xba\x82\xe8;130;;9;on;on'&PCodeNameGetKind=&PCodeNameGetIndex=&PCodeNameGetType=&PCodeNameGetCode=&PCodePattern1=*[0-9,A-Z]&PCodePattern2=@[A-Z]&PCodePattern3=$[0-9]&FormerBusiness=&hidCalledform=&hidinterYear=&hidinterMonth=&hidinterDays=&DivAdjust=&DaysTrip=ON&chkDivAdjust=&chkDaysTrip=ON&cboBusinTripDiv=001;\x88\xea\x94\xca\x8fo\x92\xa3\x81i\x93\xaf\x88\xea\x92n\x88\xe6\x93\xe0\x81j;1;1;0;&dtxtBusinTripPerStart=20071116&dtxtBusinTripPerEnd=20071116&dtxtAdjustPeriodStart=20071116&dtxtAdjustPeriodEnd=20071116&DefAdjustPeriodStart=20071116&DefAdjustPeriodEnd=20071116&isHrDispControl=true&T > ehainaiyouDispFlag=OFF&TehaiInfoCounter=0&KYU_TRAVEL_BIGIN_DATE=&NumberOfDaysFlg1=0&chkDaysTrip1=on&DivisionRouteCheck1=&NumberOfDaysFlg2=1&SeisanInfoCounter1=2&TrafficSyohyoKubun1=0&TrafficSyohyoKubun2=0&TrafficSyo > [20/Nov/2007:15:40:59 +0900] [localhost/sid#3dc320][rid#29f8830][/securitytest.html][9] Check took 0 usec > [20/Nov/2007:15:40:59 +0900] [localhost/sid#3dc320][rid#29f8830][/securitytest.html][1] Warning. Pattern match "(\"|\\').*[<>]|<[\\s]*input" at ARGS_SELECTIVE [msg "XSS attack"] [severity "EMERGENCY"] > [20/Nov/2007:15:40:59 +0900] [localhost/sid#3dc320][rid#29f8830][/securitytest.html][9] Signature check returned 0 > ######## > > My HTTP postbody is like below. It is decoded plain text. Full length is 1632 byte. > ######## > hid_RouteValue='1;;?miiqj;Ht;2007/11/16;09:01;2007/11/16;09:03;;JR;iqe?;130;;9;on;on'&PCodeNameGetKind=&PCodeNameGetIndex=&PCodeNameGetType=&PCodeNameGetCode=&PCodePattern1=*[0-9,A-Z]&PCodePattern2=@[A-Z]&PCodePattern3=$[0-9]&FormerBusiness=&hidCalledform=&hidinterYear=&hidinterMonth=&hidinterDays=&DivAdjust=&DaysTrip=ON&chkDivAdjust=&chkDaysTrip=ON&cboBusinTripDiv=001;?oinj;1;1;0;&dtxtBusinTripPerStart=20071116&dtxtBusinTripPerEnd=20071116&dtxtAdjustPeriodStart=20071116&dtxtAdjustPeriodEnd=20071116&DefAdjustPeriodStart=20071116&DefAdjustPeriodEnd=20071116&isHrDispControl=true&TehainaiyouDispFlag=OFF&TehaiInfoCounter=0&KYU_TRAVEL_BIGIN_DATE=&NumberOfDaysFlg1=0&chkDaysTrip1=on&DivisionRouteCheck1=&NumberOfDaysFlg2=1&SeisanInfoCounter1=2&TrafficSyohyoKubun1=0&TrafficSyohyoKubun2=0&TrafficSyohyoKubun3=1&TrafficSyohyoKubun4=1&TrafficSyohyoKubun5=1&TrafficSyohyoKubun6=1&TrafficSyohyoKubun > 7=0&OutboxAccountStartDate=&LastAdmitDate=&SlipNo=2293&SameArrangeNo=1&AccountSplitCorrectNo=1&AccountSplitCorrectNoOld=&AccountSplitCorrectFmNo=&SlipNoNewCreationFlag=ON&LastAdmitDateStr=&CorrectNoFlag=ON&ArrangeSplitNo=1&AdjustStatus=&SaishuDispFlag=ON&DivisionRouteCheck=&toa_status=&toa_action=&SLIP_NO=&SAME_ARRANGE_NO=&PARTY_ARRANGE_NO=&companyCode=023060&T13_TRAVEL_BIGIN_DATE=20071116&T13_TRAVEL_END_DATE=20071116&inputFlg=ON&toa_scheduleBeginYear=&toa_scheduleBeginMonth=&toa_scheduleBeginDay=&toa_scheduleEndYear=&toa_scheduleEndMonth=&toa_scheduleEndDay=&toa_prefectures=&toa_city=&toa_distination=&toa_purpose=&toa_interview=&optSubject1=&AdmitRoute=A&AdmitRouteBefore=&AdmitRouteAfter= -> x?(F) -> v?(F) > ######## > > My rule > ######## > SecFilterSelective ARGS_VALUES|!ARG_hidSeisanInputData "(\"|\').*[<>]|<[\s]*input" > ######## > > > My question: > 1, Regarding the second line in modsecurity debug log, the postbody string was cutoff in "Checking against" part. > Why modsecurity did not check full postbody string by this rule? In 1.9.x the debug string (The "Checking against ..." part) is limited to 1024 bytes and you are hitting that so it is being cut off in the log. > 2, I want to check parameters other than "hidSeisanInputData" in my rule, but the debug log says I have a RE pattern "(\"|').*[<>]|<[\\s]*input". > I can not find any value in my postbody included this type of string. What am I missing? Without the ORs and character sets you essentially have this in the RE: "'.*<" which matches the data string from the first "'" to the last ">": '1;;?miiqj<long_string_removed>;-> x?(F) -> > I use ModSecurity v1.9.4 and Apache 2.2.4.0. for test. > Above log information is recorded in Windows XP Pro. Also, the same problem occured in Linux AS 4.0. This would not happen in ModSecurity 2.x. Why use 1.9.x on Apache 2.x? You should switch to 2.1.x for Apache 2.x. Really, the only good reason for staying with 1.9.x is for Apache 1.3 support. thanks, -B -- Brian Rectanus Breach Security |