[mod-security-users] problem with my regex and single line HTML comment in RESPONSE_BODY
Brought to you by:
victorhora,
zimmerletw
From: Stephen C. E. <ste...@gm...> - 2008-06-27 12:00:48
|
Hi, I'm having a problem with a regex. I want to prevent content in an HTTP response being returned as in: <!-- TODO admin:adminpw --> My regular expression: <!--[ \r\n\t]*(.?)*(Admin|admin|administrator|pwd|password)(.*)[ \r\n\t]* --> works both in Regex Coach and Expresso 3.0 and on variations such as: <!-- Use Admin to regenerate database --> which is what I want. To try to make a long story short - without a bunch of debug stuff - it works as designed on the 'bad' pages with multiline HTML comments like above but when it processes a page with any HTML comment on one line (e.g. <!-- Stop Instructions -->) it chokes and stops processing the page. My rule: SecRule RESPONSE_BODY "<!--[ \r\n\t]*(.?)*(Admin|admin|administrator|pwd|password)(.*)[ \r\n\t]* -->" "phase:4,ctl:auditLogParts=+E,log,deny,status:501,auditlog,msg:'HTML comment source code leakage',id:'8',tag:'LEAKAGE/SOURCE_CODE',severity:'4'" Adding 'capture' to the rule as in "phase:4,capture,ctl..." gets rid of the debug message "Ignoring regex captures since "capture" action is not enabled." but the result is the exact same. I also use "SecCacheTransformations=Off" so that transformations aren't being cached. The end of the debug log file shows (with some sanitation): [26/Jun/2008:19:36:29 +0800] [192.168.0.5/sid#82100e0][rid#8424118][/xxx][4] Starting phase RESPONSE_BODY. [26/Jun/2008:19:36:29 +0800] [192.168.0.5/sid#82100e0][rid#8424118][/xxx][9] This phase consists of 5 rule(s). [26/Jun/2008:19:36:29 +0800] [192.168.0.5/sid#82100e0][rid#8424118][/xxx][4] Recipe: Invoking rule 80c3c28; [file "/etc/modsecurity/rulefile_fail-open-auth2.conf"] [line "268"] [id "8"]. [26/Jun/2008:19:36:29 +0800] [192.168.0.5/sid#82100e0][rid#8424118][/xxx][5] Rule 80c3c28: SecRule "RESPONSE_BODY" "@rx <!--[ \\r\\n\\t]*(.?)*(Admin|admin|administrator|pwd|password)(.*)[ \\r\\n\\t]* -->" "phase:4,capture,ctl:auditLogParts=+E,log,deny,status:501,auditlog,msg:'HTML comment source code leakage',id:8,tag:LEAKAGE/SOURCE_CODE,severity:4" [26/Jun/2008:19:36:29 +0800] [192.168.0.5/sid#82100e0][rid#8424118][/xxx][4] Transformation completed in 4 usec. [26/Jun/2008:19:36:29 +0800] [192.168.0.5/sid#82100e0][rid#8424118][/xxx][4] Executing operator "rx" with param "<!--[ \\r\\n\\t]*(.?)*(Admin|admin|administrator|pwd|password)(.*)[ \\r\\n\\t]* -->" against RESPONSE_BODY. [26/Jun/2008:19:36:29 +0800] [192.168.0.5/sid#82100e0][rid#8424118][/xxx][9] Target value: "\r\n\r\n\r\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r\n\r\n<html xmlns="http://www.w3.org/1999/xhtml">\r\n<head>\r\n<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />\r\n<title>Sample Page</title>\r\n<link rel="stylesheet" href="css/draw.css" type="text/css" />\r\n<link rel="stylesheet" href="css/page1.css" type="text/css" />\r\n<link rel="stylesheet" href="css/menu.css" type="text/css" />\r\n<link rel="stylesheet" href="css/layers.css" type="text/css" />\r\n<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>\r\n<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>\r\n<script language="JavaScript1.2" src="javascript/pageNav.js" type="text/javascript"></script>\r\n<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>\r\n<script language="Java And it stops there. This page below the output contains an HTML comment: <!-- Stop Instructions --> I even added 'Instructions' to the rule to see if a one line HTML comment with a match worked, but it doesn't. Same result. Can anybody help? I'm baffled. I'm using ModSecurity 2.5.1 with Apache 2.2 on Kubuntu 7.10. Thanks in advance, Stephen |