Re: [mod-security-users] I get requests like:
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] I get requests like:
|
From: Terry D. <tdo...@na...> - 2006-03-20 18:07:25
|
Tom Anderson wrote: > I see. I hadn't realized semicolons were valid separators. It would > seem that the mod_security argument parsing needs to be modified, as > semicolons appear to be RFC-compliant and W3C-recommended separators. > > http://www.freesoft.org/CIE/RFC/1808/index.htm > http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2 > http://www.w3.org/QA/2005/04/php-session I was reading much the same docs prior to posting a "Why are you using a ; as a query separator?" response... The SGML encoding headache is a fair point. Storing the text "&" inside, for instance, an XML file that is parsed and then displayed in a browser can leave you having to double escape it as "&amp;amp;". (I believe there are several support groups who help people recover from this sort of trauma) 1.9.2 seems to hardcode the "&" character in a couple of places. (is the separator normalised at some point?) Is it possible to defer to an outside authority for the accepted separator characters by the time mod_sec has hold of the query? If it's possible to alternate between characters in a single request, I imagine that this could be used to evade certain rules in much the same way as the v0/v1 cookie parsing pitfall: scripts/script.php?first=1&second=2;payload=evilcode&third=3... Terry. > Tom > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
