[mod-security-users] multipart/form-data

[Rude Y. <ru...@ya...>]

Greetings, mod_security gurus.  I have a question about protecting a CGI that
accepts file uploads.  I have a rule that I'm using to protect the various form
variables:

SecFilterSelective "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$"

I also have a SecUploadApproveScript configured.  This config is nice and tight
- passes all the usual XSS/SQL/etc. tests.  The problem I'm running into is
that, while the ARGS rule above works great for normal everyday input, it
doesn't do so well for this one particular CGI (renamed in the log below to
protect the guilty :-), which accepts file uploads.  I get this:

[22/Jul/2004:21:49:08 -0500]
[patchy/sid#2b1908][rid#2d32d8][/worldsmostvulnerable.cgi]
verify_uploaded_files: got result "100 ACCEPT
/usr/local/patchy/logs/secuploaddir/20040722-214855-10.21.15.150-safefile"
[22/Jul/2004:21:49:08 -0500]
[patchy/sid#2b1908][rid#2d32d8][/worldsmostvulnerable.cgi] Checking signature
"!^[A-Za-z0-9.&/?@_%=:;, -]*$" at VAR_ARGS
[22/Jul/2004:21:49:08 -0500]
[patchy/sid#2b1908][rid#2d32d8][/worldsmostvulnerable.cgi] Checking against
"--curl CgdSGkLTecdCGgqD4iVTIEkN96p\x0d\x0aContent-Disposition: form-data;
name=""FileItem""; filename=""safefile""\x0d\ x0aContent-Type:
text/plain\x0d\x0a\x0d\x0aThis file contains nothing but plain
text.\x0a\x0d\x0a--curlCgdSGkLTecdCGgqD4iVTIEkN96p--\x0d\x0a"
[22/Jul/2004:21:49:08 -0500]
[patchy/sid#2b1908][rid#2d32d8][/worldsmostvulnerable.cgi] Signature check
returned 406

On the one hand, I think I may be able to set up a "skip" rule and try to
outsmart mod_security when handling file uploads.  However, that seems like a
bad idea, as it might make me vulnerable to a different class of attacks
(someone attaching a bogus file but providing valid inputs to the other form
fields, which then wouldn't get checked by my ARGS filter).  

What's the correct mod_security way to do this?

Thanks in advance.

Ru...@ya...