Re: [mod-security-users] I get requests like:

[Tom A. <tan...@oa...>]

Sub Zero wrote:
>>>Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
>>>ARG("PHPSESSID")
>>>
>>>How do I add ; to the argument seperators?
>>
>>Put in the character set "!^[0-9a-f;]*$"
> 
> 
> Is this an internal bug of mod_security? Can't I define ; as an argument
> seperator like &?
> 
> Tom, you can see that adding ; to the characterset will not fix those issues
> (because of other parameters in the url like board=10.0 or topic=9.new or
> etc) but open more PHPSESSID security vulnerabilities.. I also do not want
> to extend a-f to another characterset...

I see.  I hadn't realized semicolons were valid separators.  It would 
seem that the mod_security argument parsing needs to be modified, as 
semicolons appear to be RFC-compliant and W3C-recommended separators.

http://www.freesoft.org/CIE/RFC/1808/index.htm
http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2
http://www.w3.org/QA/2005/04/php-session

Tom