|
From: Sander H. - O. X. <in...@or...> - 2005-08-05 17:48:00
|
mod...@go... wrote: > I'm getting Access denied with code 406. Pattern match > "\|*\x20*\x20*\|" at THE_REQUEST > > THE_REQUEST is: > > GET > /billing/admin.php?op=form&db_table=tld_config&tile=tld_config > &from=&id=tld_ id|1 HTTP/1.1 > > Now, I see the pipe in there, but I see no spaces which is > what the rule is searching for: > > The rule: > > #Generic command line attack filter > SecFilterSelective THE_REQUEST "\|*\x20*\x20*\|" > > To me, this would be spelled out as > > \| (pipe) * (anything) \x20 (space) * (anything) \x20 > (space) * (anything) \| (pipe) Not entirely. It spells: Zero to infinite (pipe) Zero to infinite (space) Zero to infinite (space) (pipe) Which will match anything with a single pipe in. Therefore it also reads as: SecFilterSelective THE_REQUEST "\|" Use + instead of *. Kind regards, Sander Holthaus > > Am I correct in interpreting this? If so, that would mean > that there is a bug there because I don't see that in the > request line (just a single pipe). > I could just be overlooking something. > > -Bill > > > _______________________________________________ > Modsecurity mailing list > Mod...@go... > http://lists.gotroot.com/mailman/listinfo/modsecurity |
