Re: [mod-security-users] args ignored in POST - filter question
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] args ignored in POST - filter question
|
From: Brian R. <Bri...@br...> - 2008-07-02 15:08:21
|
Your config looks fine. What is the full request you are sending?
ModSecurity only handles these types:
application/x-www-form-urlencoded
multipart/form-data
-B
Kam...@bd... wrote:
> Hi Stephen,
>
> I tried the debug level 9 before I wrote the question. But I found
> nothing suspiciou in logs. I tried to google today and I found a log
> that contains the following lines:
>
> Adding request argument (BODY): name "FirstName", value "asdfasfd"
> [/index.php/contact.process/]
> Adding request argument (BODY): name "LastName", value
>
> My log contains only lines of type
>
> Adding request argument (QUERY_STRING): name "Cmd" ...
>
> The problem is probably that it does not read the body part of the
> request. I have the line 'SecRequestBodyAccess On' in my config file
> (Christian's remark), I tried to experiment with the phases,
> but without success. Maybe the problem is in other part of my apache
> settings. Can you send me your minimal config that works with argument
> send in POST body?
>
> Thank you
>
> Kamil
>
>
>
>
>> -----Original Message-----
>> From: Stephen Craig Evans [mailto:ste...@gm...]
>> Sent: Tuesday, July 01, 2008 6:02 PM
>> To: Golombek Kamil | BDO IT a.s.
>> Cc: mod...@li...
>> Subject: Re: [mod-security-users] args ignored in POST -
>> filter question
>>
>> Hi Kamil,
>>
>> The best way to solve your problem is to enable debugging, crank it up
>> to top level:
>> SecDebugLog /etc/modsecurity/logs/modsec_debug.log
>> SecDebugLogLevel 9
>>
>> Go to the page that's causing the problem.
>> Restart Apache.
>> Clear your browser cache; reload the page.
>> Examine the debug file. It won't be very big. You'll see exactly
>> what's going on.
>>
>> Whenever debugging, it's best to have only the minimal amount in the
>> debug file as it can get large quickly. In Linux, just erase the debug
>> log file ('rm -f ...') and create a new blank one ('touch ...'), then
>> restart Apache and reproduce the problem.
>>
>> Stephen
>>
>> On Tue, Jul 1, 2008 at 10:28 PM, <Kam...@bd...> wrote:
>> > Hi,
>> > I have modsecurity 2.2.5 with apache 2.2.3 in reverse proxy setup. I
>> > can create rules for arguments passed directly in URL but
>> my rules are
>> > not triggered by argument sent by post.
>> >
>> > The following rules works well for URL in format
>> > https://server.com/path_to_file/file.with.dots sent by
>> GET/POST methods
>> > with argument, ie.
>> > https://server.com/path_to_file/file.with.dots?lng=foo.
>> > But once I send the argument in body of request, it is not
>> detected on
>> > server. I tried to play with phase:1, phase:2 in rules but
>> I it gave the
>> >
>> > same result. I tried also REQUEST_BODY without success. It seems my
>> > proxy ignore the body of the request. What do I wrong?
>> >
>> > Thanks
>> >
>> > Kamil
>> >
>> >
>> > My config:
>> > ----------------
>> > ProxyRequests Off
>> >
>> > <Proxy *>
>> > Order deny,allow
>> > Allow from all
>> > </Proxy>
>> >
>> > ProxyPreserveHost on
>> > ProxyPass /path123/ http://127.0.0.3:8080/path123/
>> >
>> > SecRuleEngine On
>> > SecRequestBodyAccess On
>> > SecResponseBodyAccess Off
>> > SecRequestBodyInMemoryLimit 131072
>> > SecRequestBodyLimit 131072
>> >
>> > SecDefaultAction "phase:2,log,auditlog,deny,status:500"
>> >
>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
>> > ARGS_NAMES=%{ARGS_NAMES}'"
>> > SecRule ARGS_NAMES "!^(call|page|session)$"
>> >
>> > SecRule REQUEST_FILENAME "^/path_to_file/file\.with\.dots" \
>> > "chain,pass,log,auditlog,id:12344001,msg:'Unknown arguments
>> > ARGS_NAMES=%{ARGS_NAMES}'"
>> > SecRule ARGS:lng "!^(cz|en)$"
>> >
>> >
>> --------------------------------------------------------------
>> -----------
>> > Check out the new SourceForge.net Marketplace.
>> > It's the best place to buy or sell services for
>> > just about anything Open Source.
>> > http://sourceforge.net/services/buy/index.php
>> > _______________________________________________
>> > mod-security-users mailing list
>> > mod...@li...
>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> >
>>
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
--
Brian Rectanus
Breach Security
|
