Re: [mod-security-users] mod_security enhancement idea

[joe b. <joe...@ya...>]

  I changed the field lengh to their real size and the test worked.
   
  SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
    SecFilterSelective POST_PAYLOAD "^id=[0-9a-z]{15,}&pw=[0-9a-z]{15,}&userdigit=[0-9a-z]{5,}&submit=Submit$" allow
   
   
    On my membership signup form I have 20 fields and I want to use the same coding format for them. IE using the chain and POST_PAYLOAD. Is there some way to code the POST_PAYLOAD statement to continue onto next line so it would be easy to read 20 fields. Some thing like this
   
    SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
    SecFilterSelective POST_PAYLOAD "^id=[0-9a-z]{15,}
  &pw=[0-9a-z]{15,}
  &userdigit=[0-9a-z]{5,}&submit=Submit$" allow
   
  In my php code to process the signup form I have these edits  
  elseif (!ereg("^([[:alnum:]\.\_\-]+)(\@[[:alnum:]\.\-]+\.+)", $email)) 
elseif (!ereg("^[[:alnum:]\ \-]{{$len}}$", $addr1))
(!ereg("^[[:digit:]\-]{{$len}}$", $phone_cell)))
   
  How would I code the POST_PAYLOAD "^email=[0-9a-zA-Z]{45,} to include . _ - as allowable characters  or the POST_PAYLOAD "^add1=[0-9a-zA-Z]{45,} to include a dash and a blank as allowable characters? 
   
  And thanks for your wonderful help.  I would have never been able to get this from the manual.

Ryan Barnett <rcb...@gm...> wrote:





    On 4/11/06, joe barbish <joe...@ya...> wrote:
      No Ryan that did not work. debug log shows this
   
   Checking signature "^/mls_fsbo_logon.php$" at REQUEST_URI
 Checking against "/mls_fsbo_logon.php"
 Signature check returned 403
 Chained rule with match, continue in the loop
 Checking against "id=jones1&pw=bob888&userdigit=vmiis&submit=Submit" 

   
   
  Ahh... the line above helps.  It shows what the expected format of the POST_PAYLOAD is.
   
  
 
       Signature check returned 404
 Access denied with code 404. Pattern match "!^(id|pw|userdigit)=[0-9a-z]$" at POST_PAYLOAD.
 Rule match, returning code 404
   
  Im thinking this may work

     
  SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain

    SecFilterSelective POST_PAYLOAD "^(id|pw|userdigit)=[0-9a-z]$" allow
   
  Notice no ! and allow added at end
   
  What do you think?

   
   
  This should work (including size restrictions of the values to 20 characters or less) -
   
    SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
    SecFilterSelective POST_PAYLOAD "^id=[0-9a-z]{20,}&pw=[0-9a-z]{20,}&userdigit=[0-9a-z]{20,}&submit=Submit$" allow


   
  See if this works.  You can test it by submitting data other than letters or numbers and also input > 20 characters.  These should be blocked.
   
  - Ryan
 
       
   
  

Ryan Barnett <rcb...@gm...> wrote:

      On 4/11/06, joe barbish <joe...@ya... > wrote:        

    So question is the following code correct.
   
  SecFilterSelective REQUEST_URI "^/mls_fsbo_signup.php$"      allow plus
  SecFilterSelective POST_PAYLOAD "(^id=[0-9a-z]$)"                 allow plus
  SecFilterSelective POST_PAYLOAD "(^pw=[0-9a-z]$)"                allow plus
SecFilterSelective POST_PAYLOAD "(^userdigit=[0-9a-z]$)"        allow

     

   
  "plus" is not a valid mod_security action.  I would suggest that you use this directive -
   
  SecFilterSelective REQUEST_URI "^/mls_fsbo_logon.php$" chain
  SecFilterSelective POST_PAYLOAD "!^(id|pw|userdigit)=[0-9a-z]$"
   
   
  This should work.  Test it out and let me know.
   
  -Ryan

     


      
---------------------------------
  How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call rates.   
  





-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC 
Author: Preventing Web Attacks with Apache 

		
---------------------------------
How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.