Re: [mod-security-users] Nulls in post cause false negative (Bug?)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

>    I fixed it tonight. I checked, it is visible now via the
>    anonymous CVS (sometimes it is up to a day late).

Ivan,

I downloaded version 1.25 of apache1/mod_security.c and tried it out,
using sample request that I'd used earlier:

  my $request =
    POST($ARGV[0],
	[ a => "so much depends",
	  b => "upon a red wheelbarrow",
	  c => "glazed with rainwater",
	  d => "beside the white ^@ chickens"]);

Here's what I found.

  SecFilterForceByteRange 32 126

Nailed the null byte in the POST data.

  mod_security: Invalid character detected [0]

But

  SecFilterForceByteRange 0 255
  SecFilterSelective "POST_PAYLOAD" "chicken" "deny,log,status:501"

Did not match the "chicken" that followed the null.

I spent a little time stepping through with a debugger, and made a
small modification based on what I noticed (diffs at end of message).
With this patch, "chicken" after the \0 triggered a filter match:

  mod_security: Access denied with code 501. Pattern match "chicken" at POST_PAYLOAD.

If the patch seems okay, please feel free to use it.

>> This is more of an RFE, but it would also be nice to allow arbitrary
>> binary data in keyword patterns.  (Like "\177ELF" :).
>
>    Did you try it? I've had no problem running regular expressions
>    against binary files (with null characters removed). Maybe it
>    already works.

I tried

  SecFilterSelective "POST_PAYLOAD" "\177ELF" "deny,log,status:502"
  SecFilterSelective "POST_PAYLOAD" "^?ELF" "deny,log,status:502"
  # "^?" is a literal 0x7f

but no dice :(

Anyway, here's the patch to
 * $Id: mod_security.c,v 1.25 2003/08/28 20:48:32 ivanr Exp $

------------------------------------------------------------------
*** mod_security.c.ORIG	Fri Aug 29 12:58:38 2003
--- mod_security.c	Fri Aug 29 12:59:31 2003
***************
*** 1052,1062 ****
                  // sec_debug_log(r, 3, "Before: %s", _post_payload);
                  _post_payload = normalise_uri(r, _post_payload, dcfg->range_start, dcfg->range_end, dcfg->check_encoding, dcfg->check_unicode_encoding);
                  // sec_debug_log(r, 3, "After: %s", _post_payload);
!             } else {
!                 // remove binary content from the payload
!                 sec_debug_log(r, 3, "Removing null bytes from POST payload");
!                 _post_payload = remove_binary_content(r, _post_payload);
!             }

              if (_post_payload == NULL) {
                  return dcfg->action.status;
--- 1052,1062 ----
                  // sec_debug_log(r, 3, "Before: %s", _post_payload);
                  _post_payload = normalise_uri(r, _post_payload, dcfg->range_start, dcfg->range_end, dcfg->check_encoding, dcfg->check_unicode_encoding);
                  // sec_debug_log(r, 3, "After: %s", _post_payload);
!             }
!
!             // remove binary content from the payload
!             sec_debug_log(r, 3, "Removing null bytes from POST payload");
!             _post_payload = remove_binary_content(r, _post_payload);

              if (_post_payload == NULL) {
                  return dcfg->action.status;
------------------------------------------------------------------

Hth.

-- 
Steve