Re: [mod-security-users] mod_security enhancement idea

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 4/11/06, joe barbish <joe...@ya...> wrote:

>  No Ryan that did not work. debug log shows this
>
>  Checking signature "^/mls_fsbo_logon.php$" at REQUEST_URI
>  Checking against "/mls_fsbo_logon.php"
>  Signature check returned 403
>  Chained rule with match, continue in the loop
>  Checking against "id=3Djones1&pw=3Dbob888&userdigit=3Dvmiis&submit=3DSub=
mit"
>

Ahh... the line above helps.  It shows what the expected format of the
POST_PAYLOAD is.

>   Signature check returned 404
>  Access denied with code 404. Pattern match
> "!^(id|pw|userdigit)=3D[0-9a-z]$" at POST_PAYLOAD.
>  Rule match, returning code 404
>
> Im thinking this may work
>
> SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
>  SecFilterSelective POST_PAYLOAD "^(id|pw|userdigit)=3D[0-9a-z]$" allow
>
> Notice no ! and allow added at end
>
> What do you think?
>

This should work (including size restrictions of the values to 20 character=
s
or less) -

 SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
 SecFilterSelective POST_PAYLOAD
"^id=3D[0-9a-z]{20,}&pw=3D[0-9a-z]{20,}&userdigit=3D[0-9a-z]{20,}&submit=3D=
Submit$"
allow

See if this works.  You can test it by submitting data other than letters o=
r
numbers and also input > 20 characters.  These should be blocked.

- Ryan

>
>
>
>
> *Ryan Barnett <rcb...@gm...>* wrote:
>
> On 4/11/06, joe barbish <joe...@ya...> wrote:
> >
> >
> >  So question is the following code correct.
> >
> > SecFilterSelective REQUEST_URI "^/mls_fsbo_signup.php$"      allow plus
> > SecFilterSelective POST_PAYLOAD "(^id=3D[0-9a-z]$)"                 all=
ow
> > plus
> > SecFilterSelective POST_PAYLOAD "(^pw=3D[0-9a-z]$)"                allo=
w
> > plus
> > SecFilterSelective POST_PAYLOAD "(^userdigit=3D[0-9a-z]$)"        allow
> >
> >
>
> "plus" is not a valid mod_security action.  I would suggest that you use
> this directive -
>
> SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
> SecFilterSelective POST_PAYLOAD "!^(id|pw|userdigit)=3D[0-9a-z]$"
>
>
> This should work.  Test it out and let me know.
>
> -Ryan
>
>
> >
>  ------------------------------
> How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call
> rates.
> <http://us.rd.yahoo.com/mail_us/taglines/postman8/*http://us.rd.yahoo.com=
/evt=3D39663/*http://voice.yahoo.com>
>
>

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache