Re: [mod-security-users] rsub
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2013-03-18 01:04:39
|
Hello Mel, I tested it here (mod_security 2.7.2) This is my html file: <title> Crypto test - Request body limit</title> <script> </script> <form action="acao.php" method="POST"> Price <input type="hidden" name="price123" value="deportivo lacronia"> <input type="submit"> </form> This is my rule: SecRule STREAM_INPUT_BODY "@rsub s/deportivo\+lacronia/barcelona/" "phase:2,id:1111" This is my debug log: [17/Mar/2013:20:57:50 --0400] [ 192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][5] Rule 225147d8: SecRule "STREAM_INPUT_BODY" "@rsub s/deportivo\\+lacronia/barcelona/" "phase:2,log,auditlog,pass,id:1111" [17/Mar/2013:20:57:50 --0400] [ 192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][4] Transformation completed in 4 usec. [17/Mar/2013:20:57:50 --0400] [ 192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][4] Executing operator "rsub" with param "s/deportivo\\+lacronia/barcelona/" against STREAM_INPUT_BODY. [17/Mar/2013:20:57:50 --0400] [ 192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][9] Target value: "price123=deportivo+lacronia" [17/Mar/2013:20:57:50 --0400] [ 192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][4] Operator completed in 28 usec. [17/Mar/2013:20:57:50 --0400] [ 192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][2] Warning. Operator rsub succeeded. [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "611"] [id "1111"] [17/Mar/2013:20:57:50 --0400] [ 192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][4] Rule returned 1. Finally this is the result: --41def037-B-- POST /acao.php HTTP/1.1 Host: 192.168.0.100 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://192.168.0.100/ Content-Type: application/x-www-form-urlencoded Content-Length: 27 --41def037-C-- price123=deportivo+lacronia --41def037-F-- HTTP/1.1 200 OK X-Powered-By: PHP/5.3.2-1ubuntu4.9 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 59 Keep-Alive: timeout=300 Connection: Keep-Alive Content-Type: text/html --41def037-E-- Buying an Iphone for *barcelona* dollars As you can see looks like it is working. If you want to send me yout html file. I can test with your data soon. Thanks Breno On Sun, Mar 17, 2013 at 7:39 AM, Mel Brooks <dep...@gm...>wrote: > Dear Friends, > > > rsub operator doesn't detect space character, for example below rule won't > work: > > SecRule STREAM_INPUT_BODY "@rsub s/deportivo lacronia/barcelona/" > "phase:2,id:1800004,t:none,noauditlog,pass" > > is there any way to fix it or is there another way to change the request > content which may has space in it? > > Thanks a lot > > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |