Re: [mod-security-users] Apache 2.2 and URL encoding

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I'd see this as a bug in the core-rules. The rule 950107 is checking  
ARGS by using
validateURLencoding. As far as I see, the encoding is clean. The only  
thing, which
is alerted by the rule is your parameter "INPUT1" holding the string  
"%". When
using double-url-encoding in your app this could become dangerous.

To me it looks as if the pattern of the rule was applied against the  
__urldecoded__
argument (that is against "%" but not "%25", possibly the t:urldecode  
was inherited?).

The pattern says, that after "%" [0-9a-fA-F]{2} must follow.

Or am I missing anything?

Regards,
     Chris

P.S.: Looking at the pattern for a little longer makes me curious:

	\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})

alerts, if "%" is followed by something that ( is NOT [0-9a-fA-F]{2} )
OR that IS u[0-9a-fA-F]{4}, right?

Shouldn't this be like

	\%?!([0-9a-fA-F]{2}|u[0-9a-fA-F]{4})

that is to be meant as

      IF NOT  (  [0-9a-fA-F]{2}  OR  u[0-9a-fA-F]{4}  )

Am 31.05.2007 um 21:42 schrieb Don:

> Hi,
>
> I have an Apache Lounge version of apache 2.2 with mod security 2.1.1
> on a Windows XP PC. I am running a C++ cgi application that uses url
> encoding. I am using the core rules that came with mod security.  
> Since I
> am using url encoding in my program, I am getting a Bad Response  
> error. In the error log
> I have:
> [Tue May 22 12:51:04 2007] [error] [client 127.0.0.1] ModSecurity:  
> Access denied with code 400 (phase 2).
> Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at  
> ARGS:INPUT1. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"]
> [severity "WARNING"] [hostname "localhost"] [uri "/cgi-bin/ 
> ttgxxx.exe/SearchIt?DBNAME=200703xxxxxx&NEWUSER=xxxx
> &CODE=xxxx&DBALIAS=MAR%2B2007%2BB%2BOF%2BA%2BLOCKBOXES
> &STARTSESSION=5%2F22%2F2007%2B12%3A50%3A51%2BPM
> &R1=V1&INPUT1=%25&SUBMIT.x=23&SUBMIT.y=12&SUBMIT=SEARCH"]  
> [unique_id "XrASOwpYJAQAAADQDDkAAAD5"]
>
> I have tried overriding this rule as per the mod security help file. I
> created a file named modsecurity_crs_15_customrules.conf and added the
> following to try to override the rule.
>
> SecRuleRemoveByID "960901"
> SecRuleRemoveByID "950107"
> SecRuleRemoveByMsg "URL Encoding Abuse Attack Attempt"
>
> This seems to have no effect at all and I continue to get the Bad  
> Response error.
>
> Thanks for any assistance with this.
>
> Don
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/ 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users