[mod-security-users] Whitelisting nightmare...
Brought to you by:
victorhora,
zimmerletw
From: rewt r. <re...@li...> - 2014-01-27 15:48:32
|
Dear All, I have to urgently secure a web application. Unfortunately it is not working as expected :( My problems are: - ARGS variable names change the only remaining part is "property" so i wanted to write something like .*property.* ... - When i write a chained rule it works, but it whitelist the full URL instead of the ARGS only (for information this ARG variable contains an SSL certificate which is considered as SQLi. I have tried tons of possibilites: This one fully whitelist the URL and does not consider the ARGS value (i have tried it in different orders ARGS_NAME before, then REQUEST_URI -> not whitelisting at all) SecRule REQUEST_URI "^/dir/mycgi.cgi.*" "phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off" SecRule ARGS_NAMES .*property.* "t:none" This one does the same: SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off" # i tried to match BEGIN and END of certificate SecRule ARGS:property_value_.* !BEGIN.*END.*$ "id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" SecRule ARGS:old_property_value_.* !BEGIN.*END.*$ "id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'" # I also tried: SecRule REQUEST_URI "^/dir/mycgi.cgi" "id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.* Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf: Error parsing actions: Invalid setting for ctl name ruleEngine: off;ARGS:.*property.* (ARGS_NAMES does the same) Some help would be very much appreciated as i don't know what to do now :( I don't even find a way to fully whitelist this ARGS (with regular expression) inside my virtualhost. Kind regards, |