Re: [mod-security-users] QUERY_STRING parsing error with some clients
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iva...@gm...> - 2011-04-13 20:20:33
|
If you end up changing the source code, what you're looking for is parse_arguments() in msc_parsers.c Once a separator is identified and assuming the separator is & (because it can be changed), you need to do a forward looking scan to see if the following characters are "amp;". If so, you need to skip over them. There may be other places, just search for "argument_separator" to see where it is references. The above should be a configuration parameter, so that it can be active only when needed. On Wed, Apr 13, 2011 at 8:48 PM, Jonathan Marcil <jon...@ph...> wrote: > On 11-04-13 12:50 PM, Ivan Ristic wrote: >> On Tue, Apr 12, 2011 at 10:55 PM, Jonathan Marcil >> <jon...@ph...> wrote: >>> Hi everyone, >>> >>> on my Linux/Apache webserver, I get some requests with & of this form : >>> "GET /mypath?myparam1=A&myparam2=B HTTP/1.1" >>> >>> I know that the request is malformed and the clients are the problem, >>> but Apache is responding correctly to the request. >> >> Apache does not normally parse query string parameters (although you >> may have a configuration that does). >> >> The real question here is, does the target application treat "&" >> as "&". If it does not, then ModSecurity is not in error either. If it >> does, then ModSecurity may need to be expanded to handle that case. >> > Yes it does. > > My goal is to protect the application not changing its behavior. Also, I > have tested it in RAW HTTP (telnet, not by using the browser). > > But I do think that the odd behavior is from my application only. If > it's the only way possible, I'll look into ModSecurity source code to > see if I could fix it easily. > > If anyone have the same problem with their applications send me an email > and I'll gladly share any informations or patches. > > Thanks > >> >>> ModSecurity is parsing this with "amp;myparam" being the name of the >>> parameter. I saw that from a debug output : >>> Adding request argument (QUERY_STRING): name "amp;myparam2", value "B" >>> >>> I've tried some modsecurity configurations, mostly htmlEntityDecode in >>> phase 1 and 2 without any luck. In fact I'm not sure if I can apply a >>> global transformation at this level that will stick for the QUERY_STRING >>> parsing. >>> >>> I have a workaround that is to write my rules two times : with ARGS and >>> the QUERY_STRING directly. But this is impractical and is currently >>> making me crazy. >>> >>> Someone have a solution? >>> >>> Thanks, >>> >>> - Jonathan >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Forrester Wave Report - Recovery time is now measured in hours and minutes >>> not days. Key insights are discussed in the 2010 Forrester Wave Report as >>> part of an in-depth evaluation of disaster recovery service providers. >>> Forrester found the best-in-class provider in terms of services and vision. >>> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> ModSecurity Services from Trustwave's SpiderLabs: >>> https://www.trustwave.com/spiderLabs.php >>> >> >> >> > -- Ivan Ristić |