Hi
I use mod_security (1.8.7) with SecFilterScanPOST set to "on" to filter POST
variables.
Here is a basic configuration :
...
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:403"
SecFilterCheckURLEncoding On
SecFilterForceByteRange 1 255
SecAuditEngine RelevantOnly
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 2
SecFilterScanPOST On
<Location /app/login.cfm>
#Check for POST method only
SecFilterSelective REQUEST_METHOD !^POST$
SecFilterSelective ARG_VAR1 !^value1$
SecFilterSelective ARG_VAR2 !^value2$
</Location>
...
I made some requests on the machine, using curl :
curl -d "VAR1=value1&VAR2=value2" http://site.com/app/login.cfm
-> correct behavior (request accepted)
curl -d "VAR1=value1&VAR2=foo" http://site.com/app/login.cfm
-> correct behavior (request denied)
curl -d "VAR1=value1" http://site.com/app/login.cfm
-> strange behavior : request accepted and the log is
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
sec_check_access, path=/app/login.cfm
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
Parsing arguments...
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
read_post_payload: Added mod_security-note to 8420280
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
Checking signature "!^POST$" at REQUEST_METHOD
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
Checking signature "!^value1$" at ARG(VAR1)
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
sec_pre: output filtering is off here
[07/Oct/2005:09:59:27 +0200]
[che.cordis.lu/sid#82e1bd8][rid#8420280][/app/login.cfm] sec_logger: start
Does it means that in the case of a missing variable the rule concerning this
variable is just ignored ?
Thanks for your answer
Stephane Walrave
|
