|
From: <ze...@vo...> - 2006-04-10 09:31:55
|
Hi Ivan,
Thanks for you answer.
I tried again to set the "SecFilterCheckURLEncoding" to "Off or On" but the=
error still occurs.
The Debug log (level 2) that be displayed is as follow:
Detection phase starting (request 366218): "GET /siteminderagent/pwcgi/smpw=
servicescgi.exe?SMENC=3DUTF-8&SMTOKEN=3D{RC2}GuFcF7I/F5Sl03RqtNrPsMPlYiQZg/=
B1e2KFVDxfbVrnyC2MPyEDnDn1fDzHRadtrowaa0dtXRcvNGiN+cwPaCYlGkzRryxlqAMQ33n/J=
Fc//j8GS51FTS31e00c0C0x4dszYnBMJfwIFO/TQ0vyWFW1RyszdoiTDAp8ZSwqgO0=3D&USERN=
AME=3Dtest_YM00&SMAUTHREASON=3D20&SMAGENTNAME=3D-SM-fshUMrkQm%2fB7%2bk8CAU%=
2fak459pCXPADL1l0bEfFr6ZGrq3HJ%2fv720ACDphqn4Rhzb&TARGET=3D-SM-https%3a%2f%=
2fwww%2emyserver%2ecom%2fURI%2fhome%2ehtml%3fSMLOCALE=3DFR-FR HTTP/1.1"
[10/Apr/2006:10:58:20 +0200] [www.myserver.com/sid#115800][rid#366218][/sit=
eminderagent/pwcgi/smpwservicescgi.exe][1] Access denied with code 403. Err=
or normalising REQUEST_URI: Invalid character detected [0]
The modsec_log is as follow
=3D=3D0000763d=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Request: www.myserver.com 1.10.11.12 - - [10/Apr/2006:11:06:56 +0200] "GET =
/siteminderagent/pwcgi/smpwservicescgi.exe?SMENC=3DUTF-8&SMTOKEN=3D{RC2}GuF=
cF7I/F5Sl03RqtNrPsMPlYiQZg/B1e2KFVDxfbVrnyC2MPyEDnDn1fDzHRadtrowaa0dtXRcvNG=
iN+cwPaCYlGkzRryxlqAMQ33n/JFc//j8GS51FTS31e00c0C0x4dszYnBMJfwIFO/TQ0vyWFW1R=
yszdoiTDAp8ZSwqgO0=3D&USERNAME=3Dtest_YM00&SMAUTHREASON=3D20&SMAGENTNAME=3D=
-SM-fshUMrkQm%2fB7%2bk8CAU%2fak459pCXPADL1l0bEfFr6ZGrq3HJ%2fv720ACDphqn4Rhz=
b&TARGET=3D-SM-https%3a%2f%2fwww%2emyserver%2ecom%2fURI%2fhome%2ehtml%3fSML=
OCALE=3DFR-FR HTTP/1.1" 403 2244 "https://www.myserver.com/siteminderagent/=
pwcgi/smpwservicescgi.exe?SMENC=3DUTF-8&SMTOKEN=3D{RC2}GuFcF7I/F5Sl03RqtNrP=
sMPlYiQZg/B1e2KFVDxfbVrnyC2MPyEDnDn1fDzHRadtrowaa0dtXRcvNGiN+cwPaCYlGkzRryx=
lqAMQ33n/JFc//j8GS51FTS31e00c0C0x4dszYnBMJfwIFO/TQ0vyWFW1RyszdoiTDAp8ZSwqgO=
0=3D&USERNAME=3Dtest_YM00&SMAUTHREASON=3D20&SMAGENTNAME=3D-SM-fshUMrkQm%2fB=
7%2bk8CAU%2fak459pCXPADL1l0bEfFr6ZGrq3HJ%2fv720ACDphqn4Rhzb&TARGET=3D-SM-ht=
tps%3a%2f%2fwww%2emyserver%2ecom%2fURI%2fhome%2ehtml%3fSMLOCALE=3DFR-FR" "M=
ozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)" - "-"
----------------------------------------
GET /siteminderagent/pwcgi/smpwservicescgi.exe?SMENC=3DUTF-8&SMTOKEN=3D{RC2=
}GuFcF7I/F5Sl03RqtNrPsMPlYiQZg/B1e2KFVDxfbVrnyC2MPyEDnDn1fDzHRadtrowaa0dtXR=
cvNGiN+cwPaCYlGkzRryxlqAMQ33n/JFc//j8GS51FTS31e00c0C0x4dszYnBMJfwIFO/TQ0vyW=
FW1RyszdoiTDAp8ZSwqgO0=3D&USERNAME=3Dtest_YM00&SMAUTHREASON=3D20&SMAGENTNAM=
E=3D-SM-fshUMrkQm%2fB7%2bk8CAU%2fak459pCXPADL1l0bEfFr6ZGrq3HJ%2fv720ACDphqn=
4Rhzb&TARGET=3D-SM-https%3a%2f%2fwww%2emyserver%2ecom%2fURI%2fhome%2ehtml%3=
fSMLOCALE=3DFR-FR HTTP/1.1
Accept: */*
Referer: https://www.myserver.com/siteminderagent/pwcgi/smpwservicescgi.exe=
?SMENC=3DUTF-8&SMTOKEN=3D{RC2}GuFcF7I/F5Sl03RqtNrPsMPlYiQZg/B1e2KFVDxfbVrny=
C2MPyEDnDn1fDzHRadtrowaa0dtXRcvNGiN+cwPaCYlGkzRryxlqAMQ33n/JFc//j8GS51FTS31=
e00c0C0x4dszYnBMJfwIFO/TQ0vyWFW1RyszdoiTDAp8ZSwqgO0=3D&USERNAME=3Dtest_YM00=
&SMAUTHREASON=3D20&SMAGENTNAME=3D-SM-fshUMrkQm%2fB7%2bk8CAU%2fak459pCXPADL1=
l0bEfFr6ZGrq3HJ%2fv720ACDphqn4Rhzb&TARGET=3D-SM-https%3a%2f%2fwww%2emyserve=
r%2ecom%2fURI%2fhome%2ehtml%3fSMLOCALE=3DFR-FR
Accept-Language: fr,en-gb;q=3D0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1=
.4322)
Host: www.myserver.com
Connection: Keep-Alive
SM_TRANSACTIONID: c2ce165c-0650-443a2030-000e-074810c5
SM_SDOMAIN: .myserver.com
Location: /siteminderagent/pwcgi/smpwservicescgi.exe?SMENC=3DUTF-8&SMTOKEN=
=3D{RC2}GuFcF7I/F5Sl03RqtNrPsMPlYiQZg/B1e2KFVDxfbVrnyC2MPyEDnDn1fDzHRadtrow=
aa0dtXRcvNGiN+cwPaCYlGkzRryxlqAMQ33n/JFc//j8GS51FTS31e00c0C0x4dszYnBMJfwIFO=
/TQ0vyWFW1RyszdoiTDAp8ZSwqgO0=3D&USERNAME=3Dtest_YM00&SMAUTHREASON=3D20&SMA=
GENTNAME=3D-SM-fshUMrkQm%2fB7%2bk8CAU%2fak459pCXPADL1l0bEfFr6ZGrq3HJ%2fv720=
ACDphqn4Rhzb&TARGET=3D-SM-https%3a%2f%2fwww%2emyserver%2ecom%2fURI%2fhome%2=
ehtml%3
SM_REALM:
SM_REALMOID:
SM_AUTHTYPE: Not Protected
SM_USER:
SM_USERDN:
mod_security-message: Access denied with code 403. Error normalising REQUES=
T_URI: Invalid character detected [0]
mod_security-action: 403
It seems that the error is due to the invalid character "0" if i understand=
the log displayed. But why my URL works fine when i change "%3f" to "?" ?!
I continue my investigation, but if you can help me i will be happy...
Regards,
Christophe
> Message du 07/04/06 =C3=A0 18h41
> De : "Ivan Ristic" <iv...@we...>
> A : ze...@vo...
> Copie =C3=A0 : mod...@li...
> Objet : Re: [mod-security-users] Access denied with code 403. Error norma=
lising REQUEST_URI: Invalid URL encoding detected: not enough characters
>=20
> ze...@vo... wrote:
> > Hi,
> >=20
> > I face a big problem using Mod Security 1.9.2.
> >=20
> > My web server architecture uses Siteminder and i use this kind of URL t=
o
> > change or modify password:
> >=20
> > https://www.myserver.com/siteminderagent/pwcgi/smpwservicescgi.exe
>=20
> The URL works fine work me.
>=20
> Are you sure you get the same result with "SecFilterCheckURLEncoding Of=
f"?
>=20
>=20
> > ModSecurity logs as following:
>=20
> Can you get me the audit log entry for this problem?
>=20
>=20
> > [06/Apr/2006:17:45:06 +0200]
> > [www.myserver.com/sid#115800][rid#32ef88][/siteminderagent/pwcgi/smpwse=
rvicescgi.
> > exe][1] Access denied with code 403. Error normalising REQUEST_URI:
> > Invalid URL encoding detected: not enough characters
>=20
> This message would typically appear when there's an % at the end
> of the URI but the two hexadecimal characters that need to follow it
> aren't.
>=20
> --=20
> Ivan Ristic, Technical Director
> Thinking Stone, http://www.thinkingstone.com
> ModSecurity: Open source Web Application Firewall
> Apache Security (O'Reilly): http://www.apachesecurity.net
>=20
>
|
