Re[5]: [mod-security-users] escape character problem - mod_security v1.9.2

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Ivan, thanks.
Here is debug log,
...
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][4] Adding parameter: "username"="/\""
...
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][2] Checking signature "username=" at POST_PAYLOAD
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][4] Checking against "bbsID=feedback&MsgID=12329&threadcode=00006051!&sticky=0&username=/\"&password=1&title=\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0\x82\xa0&msgbody=&img=&file=&dig=1&120=&Submit=submit"
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Check took 0 usec
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][3] Warning (chained rule). Pattern match "username=" at POST_PAYLOAD
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Signature check returned 403
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Chained rule with match, continue in the loop
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][2] Checking signature "username=\\\\\"&" at ARG("username")
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][4] Checking against "/\""
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Check took 0 usec
[23/May/2006:09:42:33 +0900] [localhost/sid#2bc130][rid#6f1768][/post.html][9] Signature check returned 0
...
It doesn't work yet :(
I also wonder why post form parameter value \" changed to /\". 

When I input string \', I see the debug log is like this,
..
[23/May/2006:09:47:51 +0900] [localhost/sid#2bc130][rid#7079e8][/post.html][4] Adding parameter: "username"="/'"
...
So, it seems character \ to be ignored.

Conan,

>> Thank Ivan.
>>
>> I tested this rule.
>> ###
>> SecFilterSelective ARG_parameter1 "\\\""
>> ###
>>
>> It filters all messages which includes character ",
>
>Ah, sorry, my mistake. We want to use:
>
>SecFilterSelective ARG_parameter1 "\\\\\""
>
>After Apache is done with the parameter (regex pattern) it will
>convert "\\\\\"" to \\", which is what you want (since \ is used to
>escape characters in regex patterns too).
>
>-- 
>Ivan Ristic, Technical Director
>Thinking Stone, http://www.thinkingstone.com
>ModSecurity: Open source Web Application Firewall
>