mod-security-users

[mod-security-users] problem with SecFilter "<(.|\n)+>"

[Thomas <tb...@tb...>]

Hi List,

I've a problem with the following URL:

http://www.domain.de/module/lauftext.swf?text=%3Cb%3ENeu%3A+F%C3%B6rder-
+und+Siebrinnen+VCS%3C%2Fb%3E+-+Sch%C3%BCttg%C3%BCter+kostensparend
+transportieren&link=verfahrenstechnik%2Frinnen%2Fvcs%2F%3Fde

the debug shows

[09/Mar/2005:22:53:17 +0100]
[www.domain.de/sid#8269140][rid#830cd88][/module/lauftext.swf] Signature
check returned 0
[09/Mar/2005:22:53:17 +0100]
[www.domain.de/sid#8269140][rid#830cd88][/module/lauftext.swf] Checking
signature "<(.|\\n)+>" at THE_REQUEST
[09/Mar/2005:22:53:17 +0100]
[www.domain.de/sid#8269140][rid#830cd88][/module/lauftext.swf] Checking
against "/module/lauftext.swf?text=<b>Neu: F\xc3\xb6rder- und Siebrinnen
VCS</b> - Sch\xc3\xbcttg\xc3\xbcter kostensparend
transportieren&link=verfahrenstechnik/rinnen/vcs/?de"
[09/Mar/2005:22:53:17 +0100]
[www.domain.de/sid#8269140][rid#830cd88][/module/lauftext.swf] Signature
check returned 500
[09/Mar/2005:22:53:17 +0100]
[www.domain.de/sid#8269140][rid#830cd88][/module/lauftext.swf] Access
denied with code 500. Pattern match "<(.|\\n)+>" at THE_REQUEST
[09/Mar/2005:22:53:17 +0100]
[www.domain.de/sid#8269140][rid#830cd88][/module/lauftext.swf] Rule
match, returning code 500

i found no "." and no "\n" in the URL. Why matches mod_security
this URL by this Rule ?

Many thanks for help.

-Thomas

Re: [mod-security-users] problem with SecFilter "<(.|\n)+>"

[Ivan R. <iv...@we...>]

Thomas B=F6rnert wrote:
> Hi List,
>=20
> I've a problem with the following URL:
>=20
> http://www.domain.de/module/lauftext.swf?text=3D%3Cb%3ENeu%3A+F%C3%B6rd=
er-
> +und+Siebrinnen+VCS%3C%2Fb%3E+-+Sch%C3%BCttg%C3%BCter+kostensparend
> +transportieren&link=3Dverfahrenstechnik%2Frinnen%2Fvcs%2F%3Fde
>=20
> i found no "." and no "\n" in the URL. Why matches mod_security
> this URL by this Rule ?

   That's because . is a special character in regular expressions,
   and stands for any one character (except for \n in some cases).

   In your case the rule matched <b>

[www.domain.de/sid#8269140][rid#830cd88][/module/lauftext.swf] Checking
against "/module/lauftext.swf?text=3D<b>Neu: F\xc3\xb6rder- und Siebrinne=
n
VCS</b> - Sch\xc3\xbcttg\xc3\xbcter kostensparend
transportieren&link=3Dverfahrenstechnik/rinnen/vcs/?de"

   See here for more information about regular expressions:

   http://www.pcre.org/

--=20
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org