|
From: Václav O. <vaclav.ovsik@i.cz> - 2013-06-26 12:39:59
|
Hi, while trying to reverse proxy commercial application (CA Service Desk) I found, there are two types of argument separator :(. Standard `&', but more times `+' (Maybe it is ` ' (space) url-encoded into `+', I don't know the order.). I have mod-security 2.7.4 with SecArgumentSeparator per directory, but this can't help with `&' and '+' together. Right? Example requests: GET /CAisd/pdmweb.exe?SID=1822136850+FID=20+OP=DISPLAY_FORM+HTMPL=role_main.htmpl+prop.role_menubar=menubar_sd.htmpl HTTP/1.1 GET /CAisd/pdmweb.exe?OP=REFRESH_SCOREBOARD+SID=1822136850+FID=5678+TGT=scoreboard+TS=1372230732+BKGD=1 HTTP/1.1 GET /CAisd/pdmweb.exe?JEDIT=1&SID=1825506085&FID=909206676&OP=UPDATE&FACTORY=cr&SET.id=475464&SET.tenant=05C57EBF48B44F49BA4FD059ED0C611D&HTMPL=show_main_detail.htmpl&KEEP.IsModified=1&SET.alg.type=TR&SET.escalate_priority=1&SET.man_imp=-1&SET.man_urg=-1&SET.view_type=0&assignee_combo_name=Ovs%C3%ADk%2C%20V%C3%A1clav%20&SET.assignee=78285DC76082E8489DC9CB5569385579&group_combo_name=IIT-UNIX%2C%2C&SET.group=3782BB1E886E074CB6062BD2193EF922&SET.alg.time_spent=&SET.alg.time_stamp=06%2F26%2F2013%2011%3A26%20am&SET.alg.time_stamp_INT_DATE=1372238760&SET.alg.internal=0&CBX.alg.internal=No&imgBtn3_button=&SET.alg.description=zito...prevadim%20to%20na%20sebe... HTTP/1.1 Any idea how to cope with this and standard CRS? Regards -- Zito |
