Re: [mod-security-users] Problems with SecFilterSelective ARG_xxx
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problems with SecFilterSelective ARG_xxx
|
From: Ivan R. <iv...@we...> - 2005-10-07 08:34:40
|
WALRAVE Stephane wrote: > Hi > I use mod_security (1.8.7) with SecFilterScanPOST set to "on" to filter POST > variables. > > ... > > Here is a basic configuration : > ... > SecFilterEngine On > SecFilterDefaultAction "deny,log,status:403" > SecFilterCheckURLEncoding On > SecFilterForceByteRange 1 255 > SecAuditEngine RelevantOnly > SecFilterDebugLog /var/log/apache2/modsec_debug_log > SecFilterDebugLevel 2 > SecFilterScanPOST On > > <Location /app/login.cfm> > #Check for POST method only > SecFilterSelective REQUEST_METHOD !^POST$ > SecFilterSelective ARG_VAR1 !^value1$ > SecFilterSelective ARG_VAR2 !^value2$ > </Location> > ... > > curl -d "VAR1=value1" http://site.com/app/login.cfm > -> strange behavior : request accepted and the log is > > ... > > Does it means that in the case of a missing variable the rule concerning this > variable is just ignored ? In 1.8.x - yes. But I did not like that either so in 1.9.x if a variable is missing the rule is applied to an empty string. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
