Re: [mod-security-users] Nulls in post cause false negative (Bug?)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Nulls in post cause false negative (Bug?)
|
From: Ivan R. <iv...@we...> - 2003-09-02 16:11:56
|
sre...@g8... wrote:
> I spent a little time stepping through with a debugger, and made a
> small modification based on what I noticed (diffs at end of message).
> With this patch, "chicken" after the \0 triggered a filter match:
>
> mod_security: Access denied with code 501. Pattern match "chicken" at POST_PAYLOAD.
>
> If the patch seems okay, please feel free to use it.
It works, but not completely. For example, it would not catch
this:
GET /cgi-bin/modsec-test.pl?p=dummy%00chicken
with a filter
SecFilterSelective ARG_p chicken
(assuming the range allowed is 0-255)
To fight this, I will add a piece of code to the URL decoding
function to automatically convert null bytes %00 to a space. That
will work in all cases.
>>>This is more of an RFE, but it would also be nice to allow arbitrary
>>>binary data in keyword patterns. (Like "\177ELF" :).
>>
>> Did you try it? I've had no problem running regular expressions
>> against binary files (with null characters removed). Maybe it
>> already works.
>
>
> I tried
>
> SecFilterSelective "POST_PAYLOAD" "\177ELF" "deny,log,status:502"
> SecFilterSelective "POST_PAYLOAD" "^?ELF" "deny,log,status:502"
> # "^?" is a literal 0x7f
>
> but no dice :(
OK, I've added it to my TODO list.
--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
|
