Re: [mod-security-users] Apache 2.2 and URL encoding
Brought to you by:
victorhora,
zimmerletw
From: Christian B. <ch...@jw...> - 2007-05-31 20:38:37
|
I'd see this as a bug in the core-rules. The rule 950107 is checking ARGS by using validateURLencoding. As far as I see, the encoding is clean. The only thing, which is alerted by the rule is your parameter "INPUT1" holding the string "%". When using double-url-encoding in your app this could become dangerous. To me it looks as if the pattern of the rule was applied against the __urldecoded__ argument (that is against "%" but not "%25", possibly the t:urldecode was inherited?). The pattern says, that after "%" [0-9a-fA-F]{2} must follow. Or am I missing anything? Regards, Chris P.S.: Looking at the pattern for a little longer makes me curious: \%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4}) alerts, if "%" is followed by something that ( is NOT [0-9a-fA-F]{2} ) OR that IS u[0-9a-fA-F]{4}, right? Shouldn't this be like \%?!([0-9a-fA-F]{2}|u[0-9a-fA-F]{4}) that is to be meant as IF NOT ( [0-9a-fA-F]{2} OR u[0-9a-fA-F]{4} ) Am 31.05.2007 um 21:42 schrieb Don: > Hi, > > I have an Apache Lounge version of apache 2.2 with mod security 2.1.1 > on a Windows XP PC. I am running a C++ cgi application that uses url > encoding. I am using the core rules that came with mod security. > Since I > am using url encoding in my program, I am getting a Bad Response > error. In the error log > I have: > [Tue May 22 12:51:04 2007] [error] [client 127.0.0.1] ModSecurity: > Access denied with code 400 (phase 2). > Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at > ARGS:INPUT1. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] > [severity "WARNING"] [hostname "localhost"] [uri "/cgi-bin/ > ttgxxx.exe/SearchIt?DBNAME=200703xxxxxx&NEWUSER=xxxx > &CODE=xxxx&DBALIAS=MAR%2B2007%2BB%2BOF%2BA%2BLOCKBOXES > &STARTSESSION=5%2F22%2F2007%2B12%3A50%3A51%2BPM > &R1=V1&INPUT1=%25&SUBMIT.x=23&SUBMIT.y=12&SUBMIT=SEARCH"] > [unique_id "XrASOwpYJAQAAADQDDkAAAD5"] > > I have tried overriding this rule as per the mod security help file. I > created a file named modsecurity_crs_15_customrules.conf and added the > following to try to override the rule. > > SecRuleRemoveByID "960901" > SecRuleRemoveByID "950107" > SecRuleRemoveByMsg "URL Encoding Abuse Attack Attempt" > > This seems to have no effect at all and I continue to get the Bad > Response error. > > Thanks for any assistance with this. > > Don > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |