[Mod-security-developers] [JIRA] Resolved: (MODSEC-281) the logdata action cuts of long data without closing the message with a "]

[Breno S. P. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-281.
--------------------------------------

    Resolution: Fixed

> the logdata action cuts of long data without closing the message with a "]
> --------------------------------------------------------------------------
>
>                 Key: MODSEC-281
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-281
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>          Components: Actions
>    Affects Versions: 2.6.3
>            Reporter: Jamuse
>            Assignee: Breno Silva Pinto
>             Fix For: 2.6.4
>
>
> The logdata action cuts off matched text at an "undocumented"? point. When the message is cut off due to its length, ModSecurity does not append an double-quote square-bracket to close the section, which makes it difficult to parse. The following snippit demonstrates the issue, notice there is no closing quote or bracket after the the work "amenit" on the second to last line below:
> --951ef57e-H--
> Message: Access denied with code 403 (phase 2). Pattern match "(?i:(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+and\\s*=\\W)|(?:\\(\\s*select\\s*\\w+\\s*\\()|(?:\\*\\/from)|(?:\\+\\s*\\d+\\s*\\+\\s*@)|(?:\\w(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*(?:[-+=|@]+\\s*)+[\\d(])|(?:coalesce\\s*\\(|@@\\w+\\s*[^ ..." at ARGS:ctl00$ctl00$SpecContent$memberEnquiries_4$txtComments. [file "/opt/modsecurity/etc/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "561"] [id "981249"] [msg "Detects chained SQL injection attempts 2/2"] [data " case you are interested in 100 percent free passes for your self, and also partner prices, and upgrades \x0d\x0a \x0d\x0aThrough Exactly how much consumer credit rating you need towards the scholarships you\xe2\x80\x99re concerned inOff-site airport parking is often a bonus with regard to travelers. Usually many demonstrate to be much less expensive compared to airport parking tons jog by way of international airports and internet based bargains and also other amenit
> Action: Intercepted (phase 2)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira