Re: [mod-security-users] Re: Vbulletin 3.5.2 and mod_security

[Ivan R. <iv...@we...>]

Thomas Behrend wrote:
> Terry Dooher wrote:
> 
>> This rule will esssentially do nothing at all. pass allows you to log
>> matching entries with actions such as 'log,pass'. Using it on its own or
>> with nolog will do nothing.
>>
>> To explicitly accept a request based on a match, you need to use the
>> allow action:
>>
>> SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" allow,nolog
>>
>> Of course, you'll have to be careful where exaclty this rule appears. If
>> you put it at the top, then anyone can subvert the reset of your rule
>> set by simply inserting a euro character in their request. It's good
>> practice to put your allow rules right at the bottom of the list. Of
>> course, if one of your other rules triggering a 'deny' on similar
>> content, then the request will never reach this rule and you'll have to
>> figure out some sort of chaining.
>>
>> I can't comment on the regular expression itself, however. I run a
>> vBulletin 3.0 system myself and I curious as to what you're trying to
>> match with the \|+  and \| at either end of it.
>>
>> Terry.
>>
> It was one of many trys to get it working, but none worked, not allow,
> not pass, no QUERY_STRING rule, realy noting. The only workaround for it
> was to deactivate the CheckURLEncoding option. For now its working
> without postscanning, but i will try it without ajax, maybe i have more
> luck without it.

  It didn't work because:

  1) URL-encoding is checked before any rules are run.

  2) You used THE_REQUEST as the target:

    SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" pass,nolog

  and the problem was in the request payload (POST_PAYLOAD).

  BTW, please subscribe to the list to have your posts go directly
  through.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net