[mod-security-users] Problems with SecFilterSelective =?utf-8?b?QVJHX3h4eA==?=

[WALRAVE S. <st...@ti...>]

Hi
I use mod_security (1.8.7) with SecFilterScanPOST set to "on" to filter POST
variables.

Here is a basic configuration :
...
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:403"
SecFilterCheckURLEncoding On
SecFilterForceByteRange 1 255
SecAuditEngine RelevantOnly
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 2
SecFilterScanPOST On

<Location /app/login.cfm>
#Check for POST method only
SecFilterSelective REQUEST_METHOD !^POST$
SecFilterSelective ARG_VAR1 !^value1$
SecFilterSelective ARG_VAR2 !^value2$
</Location>
...

I made some requests on the machine, using curl :

curl -d "VAR1=value1&VAR2=value2" http://site.com/app/login.cfm
-> correct behavior (request accepted)

curl -d "VAR1=value1&VAR2=foo" http://site.com/app/login.cfm
-> correct behavior (request denied)

curl -d "VAR1=value1" http://site.com/app/login.cfm
-> strange behavior : request accepted and the log is

[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
sec_check_access, path=/app/login.cfm
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
Parsing arguments...
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
read_post_payload: Added mod_security-note to 8420280
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
Checking signature "!^POST$" at REQUEST_METHOD
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
Checking signature "!^value1$" at ARG(VAR1)
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
sec_pre: output filtering is off here
[07/Oct/2005:09:59:27 +0200]
[che.cordis.lu/sid#82e1bd8][rid#8420280][/app/login.cfm] sec_logger: start



Does it means that in the case of a missing variable the rule concerning this
variable is just ignored ?

Thanks for your answer

Stephane Walrave