mod-security-users

Re: [mod-security-users] checking single parameter value

[Alex V. <ale...@ss...>]

Sorry,

I think this should work :
SecFilterSelective REQUEST_URI "^/mls_verifyemail.php"     chain
SecFilterSelective ARG_hash "^[0-9a-zA-Z]*"        allow

(ARG_hash ans not ARGS_hash)

Alex

On Jeu 13 avril 2006 3:56, joe barbish a =E9crit :
> Hello list;
>   In my debug log I see this:
>
>   Normalised REQUEST_URI: /mls_verifyemail.php?hash=3DbGF5YmFja2ppbW15
> Parsing arguments...
> Adding parameter: [hash][bGF5YmFja2ppbW15]
> Checking signature "^/mls_verifyemail.php" at REQUEST_URI
> Checking against "/mls_verifyemail.php?hash=3DbGF5YmFja2ppbW15"
> Signature check returned -1
> Access allowed based on pattern match "^/mls_verifyemail.php" at
REQUEST_URI
>
>   This is the rule which allows the above to pass
>   SecFilterSelective REQUEST_URI "^/mls_verifyemail.php"             al=
low
>
>   I want to tighten this up by checking that there is only a single
> parameter value and that its a md5 hash with no bogus stuff inserted
>   SecFilterSelective REQUEST_URI "^/mls_verifyemail.php"     chain
SecFilterSelective QUERY_STRING "^?hash=3D"                     chain
> SecFilterSelective ARGS_VALUES "^hash=3D[0-9a-zA-Z]"        allow
>
>   This errors out. What am I doing wrong?
>
>
> ---------------------------------
> New Yahoo! Messenger with Voice. Call regular phones from your PC and
save big.

Re: [mod-security-users] checking single parameter value

[joe b. <joe...@ya...>]

Thanks Alex 
  That worked as shown by these debug log messages
   
  Checking signature "^/mls_verifyemail.php" at REQUEST_URI
Checking against "/mls_verifyemail.php?hash=YmFyYmlzaDI="
Signature check returned 403
Chained rule with match, continue in the loop
Checking signature "^[0-9a-zA-Z]*" at ARG(hash)
Checking against "YmFyYmlzaDI="
Signature check returned -1
Access allowed based on pattern match "^[0-9a-zA-Z]*" at CUSTOM
Allow request to pass through
   
  But I am concerned by the  asterisk at the end of "^[0-9a-zA-Z]*" 
  Is that a wildcard meaning anything else is accepted like the = in the hash value?
   
  The hash value is created using this 
  $hash = base64_encode($logonid);
   
  Does base64_encode create any other special characters?
   
  Wouldn't "^[0-9a-zA-Z=]" be more secure?
  

"Alex V." <ale...@ss...> wrote:
  Sorry,

I think this should work :
SecFilterSelective REQUEST_URI "^/mls_verifyemail.php" chain
SecFilterSelective ARG_hash "^[0-9a-zA-Z]*" allow

(ARG_hash ans not ARGS_hash)

Alex

On Jeu 13 avril 2006 3:56, joe barbish a écrit :
> Hello list;
> In my debug log I see this:
>
> Normalised REQUEST_URI: /mls_verifyemail.php?hash=bGF5YmFja2ppbW15
> Parsing arguments...
> Adding parameter: [hash][bGF5YmFja2ppbW15]
> Checking signature "^/mls_verifyemail.php" at REQUEST_URI
> Checking against "/mls_verifyemail.php?hash=bGF5YmFja2ppbW15"
> Signature check returned -1
> Access allowed based on pattern match "^/mls_verifyemail.php" at
REQUEST_URI
>
> This is the rule which allows the above to pass
> SecFilterSelective REQUEST_URI "^/mls_verifyemail.php" allow
>
> I want to tighten this up by checking that there is only a single
> parameter value and that its a md5 hash with no bogus stuff inserted
> SecFilterSelective REQUEST_URI "^/mls_verifyemail.php" chain
SecFilterSelective QUERY_STRING "^?hash=" chain
> SecFilterSelective ARGS_VALUES "^hash=[0-9a-zA-Z]" allow
>
> This errors out. What am I doing wrong?
>
>
> ---------------------------------
> New Yahoo! Messenger with Voice. Call regular phones from your PC and
save big.






-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users


			
---------------------------------
Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.

Re: [mod-security-users] checking single parameter value

[Alex V. <ale...@ss...>]

On Jeu 13 avril 2006 14:31, joe barbish a =E9crit :
> Thanks Alex
>   That worked as shown by these debug log messages
>
>   Checking signature "^/mls_verifyemail.php" at REQUEST_URI
> Checking against "/mls_verifyemail.php?hash=3DYmFyYmlzaDI=3D"
> Signature check returned 403
> Chained rule with match, continue in the loop
> Checking signature "^[0-9a-zA-Z]*" at ARG(hash)
> Checking against "YmFyYmlzaDI=3D"
> Signature check returned -1
> Access allowed based on pattern match "^[0-9a-zA-Z]*" at CUSTOM
> Allow request to pass through
>
>   But I am concerned by the  asterisk at the end of "^[0-9a-zA-Z]*"
>   Is that a wildcard meaning anything else is accepted like the =3D in =
the
> hash value?
>
>   The hash value is created using this
>   $hash =3D base64_encode($logonid);
>
>   Does base64_encode create any other special characters?
>
>   Wouldn't "^[0-9a-zA-Z=3D]" be more secure?
>

No... It's not a security case, but it mean (as for all regexp), that you
can have only [0-9a-zA-Z] chars, but more than one !!

Here are examples :
^[0-9a-zA-Z] -> accept 1 char in this list (0-9a-zA-Z)
^[0-9a-zA-Z]? -> accept blank or 1 char in this list (0-9a-zA-Z)
^[0-9a-zA-Z]+ -> accept 1 or more char(s) in this list (0-9a-zA-Z)
^[0-9a-zA-Z]* -> accept 0 or more chars in this list (0-9a-zA-Z)

Re: [mod-security-users] checking single parameter value

[joe b. <joe...@ya...>]

Thank you Alex for the explanation;
   
  But then why did the = sign pass in the hash value if the rule is saying only allow multiple 0-9 a-z A-Z characters?

"Alex V." <ale...@ss...> wrote:
  On Jeu 13 avril 2006 14:31, joe barbish a écrit :
> Thanks Alex
> That worked as shown by these debug log messages
>
> Checking signature "^/mls_verifyemail.php" at REQUEST_URI
> Checking against "/mls_verifyemail.php?hash=YmFyYmlzaDI="
> Signature check returned 403
> Chained rule with match, continue in the loop
> Checking signature "^[0-9a-zA-Z]*" at ARG(hash)
> Checking against "YmFyYmlzaDI="
> Signature check returned -1
> Access allowed based on pattern match "^[0-9a-zA-Z]*" at CUSTOM
> Allow request to pass through
>
> But I am concerned by the asterisk at the end of "^[0-9a-zA-Z]*"
> Is that a wildcard meaning anything else is accepted like the = in the
> hash value?
>
> The hash value is created using this
> $hash = base64_encode($logonid);
>
> Does base64_encode create any other special characters?
>
> Wouldn't "^[0-9a-zA-Z=]" be more secure?
>

No... It's not a security case, but it mean (as for all regexp), that you
can have only [0-9a-zA-Z] chars, but more than one !!

Here are examples :
^[0-9a-zA-Z] -> accept 1 char in this list (0-9a-zA-Z)
^[0-9a-zA-Z]? -> accept blank or 1 char in this list (0-9a-zA-Z)
^[0-9a-zA-Z]+ -> accept 1 or more char(s) in this list (0-9a-zA-Z)
^[0-9a-zA-Z]* -> accept 0 or more chars in this list (0-9a-zA-Z)






-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users


		
---------------------------------
Love cheap thrills? Enjoy PC-to-Phone  calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.

Re: [mod-security-users] checking single parameter value

[Alex V. <ale...@ss...>]

On Jeu 13 avril 2006 15:23, joe barbish a =E9crit :
> Thank you Alex for the explanation;
>
>   But then why did the =3D sign pass in the hash value if the rule is s=
aying
> only allow multiple 0-9 a-z A-Z characters?

Sorry, I just forgot to had a $ at the end, so yet it was allowing
everything that begin with 0-9 a-z A-Z...

So the correct rule is :
"^[0-9a-zA-Z]*$" if you don't want the "=3D"
or
"^[0-9a-zA-Z]*=3D$" if the "=3D" is always the last char
or
"^[0-9a-zA-Z=3D]*$" if you want to allow the =3D sign everywhere