|
From: Weedy <wee...@gm...> - 2010-03-22 04:00:14
|
For the life of me I haven't been able to figure out what is wrong with this request. Everything I have found relating to this rule is someone using a Content-Type not contained in tx.allowed_request_content_type; as you will see multipart/form-data is allowed by default and I can't see anything wrong with the request itself. Thank you in advance. --ecacc00d-A-- [21/Mar/2010:23:31:30 --0400] S6bkjn8AAAEAADwtBrsAAAFX 1.1.1.1 2600 212.117.183.104 80 --ecacc00d-B-- POST /wakaba.pl HTTP/1.1 Host: bah.net Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Referer: http://bah.net/rp/res/94023_abbr.html Content-Length: 1159 Cache-Control: max-age=0 Origin: http://bah.net Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryO95RDcsUqi7YUukk Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: email=noko; password=bahhh; name=bahhhhhhhh; wakastyle=Futaba; wakabastyle=Futaba --ecacc00d-C-- ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="board" rp ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="task" post ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="parent" 94023 ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="name" ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="link" ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="field1" bahhhhhhhh ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="email" noko ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="subject" ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="comment" >>94145 *I mixed the posts up x_x reverse order* ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="file"; filename="" ------WebKitFormBoundaryO95RDcsUqi7YUukk Content-Disposition: form-data; name="password" bahhh ------WebKitFormBoundaryO95RDcsUqi7YUukk-- --ecacc00d-F-- HTTP/1.1 303 Go West Set-Cookie: email=noko; path=/; expires=Mon, 05-Apr-2010 03:31:30 GMT; Set-Cookie: password=bahhh; path=/; expires=Mon, 05-Apr-2010 03:31:30 GMT; Set-Cookie: name=bahhhhhhhh; path=/; expires=Mon, 05-Apr-2010 03:31:30 GMT; Location: rp/res/94023_abbr.html Cache-Control: max-age=60 Expires: Mon, 22 Mar 2010 03:32:26 GMT Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 76 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html --ecacc00d-E-- <html><body><a href="rp/res/94023_abbr.html">rp/res/94023_abbr.html</a></body></html> --ecacc00d-H-- Message: Pattern match "^([^;\s]+)" at REQUEST_HEADERS:Content-Type. [file "/etc/apache2/modules.d/mod_security/modsecurity_crs_30_http_policy.conf"] [line "63"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "multipart/form-data; boundary=----WebKitFormBoundaryO95RDcsUqi7YUukk"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] Apache-Handler: fcgid-script Stopwatch: 1269228686640491 3620089 (138882* 146825 3619174) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5. Server: Apache --ecacc00d-K-- SecAction "phase:1,auditlog,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.paranoid_mode=0" SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20" SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15" SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.critical_anomaly_score=20,setvar:tx.error_anomaly_score=15,setvar:tx.warning_anomaly_score=10,setvar:tx.notice_anomaly_score=5" SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.max_num_args=255" SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml',setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log .mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd .xsx',setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if'" SecRule "REQUEST_METHOD" "@rx ^POST$" "phase:2,chain,rev:2.0.5,t:none,pass,nolog,auditlog,msg:'POST request must have a Content-Length header',id:960012,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,severity:4,tag:http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5" SecRule "&TX:MAX_NUM_ARGS" "@eq 1" "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Too many arguments in request',id:960335,severity:4,rev:2.0.5" SecRule "REQUEST_METHOD" "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Request content type is not allowed by policy',id:960010,tag:POLICY/ENCODING_NOT_ALLOWED,tag:WASCTC/WASC-20,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/EE2,tag:PCI/12.1,severity:4,logdata:%{matched_var}" SecRule "REQUEST_HEADERS:Content-Type" "@rx ^([^;\\s]+)" "capture" SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" "phase:2,chain,capture,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,auditlog,msg:'URL file extension is restricted by policy',severity:2,id:960035,tag:POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,logdata:%{TX.0}" SecRule "REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*" "@pmFromFile modsecurity_40_generic_attacks.data" "phase:2,rev:2.0.5,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1" SecRule "TX:PARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_SESSION_FIXATION" SecRule "TX:PARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_FILE_INJECTION" SecRule "TX:PARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_COMMAND_ACCESS" SecRule "TX:PARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_COMMAND_INJECTION" SecRule "&TX:/SQL_INJECTION/" "@eq 0" "phase:2,rev:2.0.5,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK" SecRule "TX:PARANOID_MODE" "!@eq 1" "phase:2,t:none,nolog,skipAfter:END_XSS_CHECK" --ecacc00d-Z-- |
