Re: [mod-security-users] Please what rule have i to deactivate?
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <rcb...@gm...> - 2006-08-05 16:21:14
|
Refer to the mod_security message info in the audit_log entry below - mod_security-message: Access denied with code 403. Error normalising REQUEST_URI: *Invalid URL encoding detected*: invalid characters used This was triggered by the "SecFilterCheckURLEncoding On" directive. It inspected the URL parameters and triggered on the "%" signs that were not followed by valid 2 digit HEX characters (example - genero=%&tema=). You either need to update the "titulos.php" script to fix who it uses the "%" character in the GET requests, or you need to set "SecFilterCheckURLEncoding Off". One additional tip that is often recommended on the list when people have questions about why rules triggered - update the SecFilterDebugLevel to 9, make the request that is generating the problem and then look in the debug log for info. It usually will tell you which rule triggered on the request. Cheers. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 8/5/06, Manu <rhe...@gm...> wrote: > > I have gotroot.com's mod_security rules instaled. Now i have this > audit_log when i made a mysql search with % character. This is the > audit_log: > > ==0717e229============================== > Request: www.domain.com 84.77.73.185 - - [03/Aug/2006:16:36:04 +0200] "GET > /titulos.php?pageNum_titulos=1&totalRows_titulos=56&genero=%&tema=&titulo=amor&autor=&seleccioncdl=% > HTTP/1.1" 403 8237 " http://www.domain.com/titulos.php" "Mozilla/4.0 > (compatible; MSIE 6.0; Windows NT 5.1; SV1)" - "-" > ---------------------------------------- > GET > /titulos.php?pageNum_titulos=1&totalRows_titulos=56&genero=%&tema=&titulo=amor&autor=&seleccioncdl=% > HTTP/1.1 > Accept: */* > Referer: http://www.domain.com/titulos.php > Accept-Language: es > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) > Host: www.domain.com > Connection: Keep-Alive > Cookie: PHPSESSID=7c8192f8131b4785eeafc10b429a9b20 > mod_security-message: Access denied with code 403. Error normalising > REQUEST_URI: Invalid URL encoding detected: invalid characters used > mod_security-action: 403 > > HTTP/1.1 403 Forbidden > Last-Modified: Fri, 24 Mar 2006 14:39:22 GMT > ETag: "1f0dfb-202d-9736da80" > Accept-Ranges: bytes > Content-Length: 8237 > Connection: close > Content-Type: text/html; charset=ISO-8859-1 > --0717e229-- > > i have deactivate some rules but i don't get the right rule. Please what > rule have i to deactivate? Thanks in advance. > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > |