Re: [mod-security-users] Re: Vbulletin 3.5.2 and mod_security
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iv...@we...> - 2006-03-14 15:12:13
|
Thomas Behrend wrote: > Terry Dooher wrote: > >> This rule will esssentially do nothing at all. pass allows you to log >> matching entries with actions such as 'log,pass'. Using it on its own or >> with nolog will do nothing. >> >> To explicitly accept a request based on a match, you need to use the >> allow action: >> >> SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" allow,nolog >> >> Of course, you'll have to be careful where exaclty this rule appears. If >> you put it at the top, then anyone can subvert the reset of your rule >> set by simply inserting a euro character in their request. It's good >> practice to put your allow rules right at the bottom of the list. Of >> course, if one of your other rules triggering a 'deny' on similar >> content, then the request will never reach this rule and you'll have to >> figure out some sort of chaining. >> >> I can't comment on the regular expression itself, however. I run a >> vBulletin 3.0 system myself and I curious as to what you're trying to >> match with the \|+ and \| at either end of it. >> >> Terry. >> > It was one of many trys to get it working, but none worked, not allow, > not pass, no QUERY_STRING rule, realy noting. The only workaround for it > was to deactivate the CheckURLEncoding option. For now its working > without postscanning, but i will try it without ajax, maybe i have more > luck without it. It didn't work because: 1) URL-encoding is checked before any rules are run. 2) You used THE_REQUEST as the target: SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" pass,nolog and the problem was in the request payload (POST_PAYLOAD). BTW, please subscribe to the list to have your posts go directly through. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |