Re: [mod-security-users] args ignored in POST - filter question
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] args ignored in POST - filter question
|
From: <Kam...@bd...> - 2008-07-02 09:39:22
|
Hi Stephen,
I tried the debug level 9 before I wrote the question. But I found
nothing suspiciou in logs. I tried to google today and I found a log
that contains the following lines:
Adding request argument (BODY): name "FirstName", value "asdfasfd"
[/index.php/contact.process/]
Adding request argument (BODY): name "LastName", value
My log contains only lines of type
Adding request argument (QUERY_STRING): name "Cmd" ...
The problem is probably that it does not read the body part of the
request. I have the line 'SecRequestBodyAccess On' in my config file
(Christian's remark), I tried to experiment with the phases,
but without success. Maybe the problem is in other part of my apache
settings. Can you send me your minimal config that works with argument
send in POST body?
Thank you
Kamil
> -----Original Message-----
> From: Stephen Craig Evans [mailto:ste...@gm...]
> Sent: Tuesday, July 01, 2008 6:02 PM
> To: Golombek Kamil | BDO IT a.s.
> Cc: mod...@li...
> Subject: Re: [mod-security-users] args ignored in POST -
> filter question
>
> Hi Kamil,
>
> The best way to solve your problem is to enable debugging, crank it up
> to top level:
> SecDebugLog /etc/modsecurity/logs/modsec_debug.log
> SecDebugLogLevel 9
>
> Go to the page that's causing the problem.
> Restart Apache.
> Clear your browser cache; reload the page.
> Examine the debug file. It won't be very big. You'll see exactly
> what's going on.
>
> Whenever debugging, it's best to have only the minimal amount in the
> debug file as it can get large quickly. In Linux, just erase the debug
> log file ('rm -f ...') and create a new blank one ('touch ...'), then
> restart Apache and reproduce the problem.
>
> Stephen
>
> On Tue, Jul 1, 2008 at 10:28 PM, <Kam...@bd...> wrote:
> > Hi,
> > I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
> > can create rules for arguments passed directly in URL but
> my rules are
> > not triggered by argument sent by post.
> >
> > The following rules works well for URL in format
> > https://server.com/path_to_file/file.with.dots sent by
> GET/POST methods
> > with argument, ie.
> > https://server.com/path_to_file/file.with.dots?lng=foo.
> > But once I send the argument in body of request, it is not
> detected on
> > server. I tried to play with phase:1, phase:2 in rules but
> I it gave the
> >
> > same result. I tried also REQUEST_BODY without success. It seems my
> > proxy ignore the body of the request. What do I wrong?
> >
> > Thanks
> >
> > Kamil
> >
> >
> > My config:
> > ----------------
> > ProxyRequests Off
> >
> > <Proxy *>
> > Order deny,allow
> > Allow from all
> > </Proxy>
> >
> > ProxyPreserveHost on
> > ProxyPass /path123/ http://127.0.0.3:8080/path123/
> >
> > SecRuleEngine On
> > SecRequestBodyAccess On
> > SecResponseBodyAccess Off
> > SecRequestBodyInMemoryLimit 131072
> > SecRequestBodyLimit 131072
> >
> > SecDefaultAction "phase:2,log,auditlog,deny,status:500"
> >
> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> > ARGS_NAMES=%{ARGS_NAMES}'"
> > SecRule ARGS_NAMES "!^(call|page|session)$"
> >
> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
> > ARGS_NAMES=%{ARGS_NAMES}'"
> > SecRule ARGS:lng "!^(cz|en)$"
> >
> >
> --------------------------------------------------------------
> -----------
> > Check out the new SourceForge.net Marketplace.
> > It's the best place to buy or sell services for
> > just about anything Open Source.
> > http://sourceforge.net/services/buy/index.php
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
>
|
