Re: [mod-security-users] rsub

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello Mel,

I tested it here (mod_security 2.7.2)

This is my html file:

<title> Crypto test - Request body limit</title>
<script>
</script>
<form action="acao.php" method="POST">
 Price <input type="hidden" name="price123" value="deportivo lacronia">
 <input type="submit">
</form>

This is my rule:
SecRule STREAM_INPUT_BODY "@rsub s/deportivo\+lacronia/barcelona/"
"phase:2,id:1111"

This is my debug log:

[17/Mar/2013:20:57:50 --0400] [
192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][5] Rule 225147d8:
SecRule "STREAM_INPUT_BODY" "@rsub s/deportivo\\+lacronia/barcelona/"
"phase:2,log,auditlog,pass,id:1111"
[17/Mar/2013:20:57:50 --0400] [
192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][4] Transformation
completed in 4 usec.
[17/Mar/2013:20:57:50 --0400] [
192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][4] Executing operator
"rsub" with param "s/deportivo\\+lacronia/barcelona/" against
STREAM_INPUT_BODY.
[17/Mar/2013:20:57:50 --0400] [
192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][9] Target value:
"price123=deportivo+lacronia"
[17/Mar/2013:20:57:50 --0400] [
192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][4] Operator completed
in 28 usec.
[17/Mar/2013:20:57:50 --0400] [
192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][2] Warning. Operator
rsub succeeded. [file
"/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line
"611"] [id "1111"]
[17/Mar/2013:20:57:50 --0400] [
192.168.0.100/sid#227ef3c8][rid#22c07250][/acao.php][4] Rule returned 1.

Finally this is the result:

--41def037-B--
POST /acao.php HTTP/1.1
Host: 192.168.0.100
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://192.168.0.100/
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

--41def037-C--
price123=deportivo+lacronia
--41def037-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 59
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html

--41def037-E--
Buying an Iphone for *barcelona* dollars

As you can see looks like it is working.
If you want to send me yout html file. I can test with your data soon.

Thanks

Breno

On Sun, Mar 17, 2013 at 7:39 AM, Mel Brooks <dep...@gm...>wrote:

> Dear Friends,
>
>
> rsub operator doesn't detect space character, for example below rule won't
> work:
>
> SecRule STREAM_INPUT_BODY "@rsub s/deportivo lacronia/barcelona/"
> "phase:2,id:1800004,t:none,noauditlog,pass"
>
> is there any way to fix it or is there another way to change the request
> content which may has space in it?
>
> Thanks a lot
>
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>