Thread: [mod-security-users] Vbulletin 3.5.2 and mod_security
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Thomas B. <web...@sp...> - 2006-03-14 08:01:48
|
Since the installation of the latest vbulletin version, we have some trouble with the =80 (%u20AC). When someone try to use the quick-answer function, it hangs on submit and i got this log entry: #########################################################################= ########################## =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: 84.181.222.208 - - [06/Mar/2006:20:22:52 +0100] "POST /newreply.php HTTP/1.1" 500 132018 Handler: (null) ---------------------------------------- POST /newreply.php HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/pla= in;q=3D0.8,image/png,*/*;q=3D0.5 Accept-Charset: ISO-8859-15,utf-8;q=3D0.7,*;q=3D0.7 Accept-Language: de Cache-Control: no-cache Connection: keep-alive Content-Length: 154 Content-Type: application/x-www-form-urlencoded Cookie: vbulletin_collapse=3Dvbindex_poll%0Avbindex_customblock1%0Avbindex_online= users%0Avbindex_customblock2%0Avbindex_customblock5%0Avbindex_customblock= 3%0Avbindex_customblock4%0Amodule_18%0Amodule_4_2223%0Amodule_4_2129%0Amo= dule_14%0Amodule_10%0Amodule_7%0Amodule_16%0Asimilarthreads%0Aforumrules%= 0Amodule_17%0Amodule_6%0Amodule_13%0Amodule_15%0Amodule_3%0Amodule_19%0Am= odule_20; bbstyleid=3D8; bblastactivity=3D0; bbpassword=3D45607a9db79ae5183869714014f52482; bblastactivity=3D0; bbpassword=3D45607a9db79ae5183869714014f52482; bbuserid=3D116; bbuserid=3D= 116; bblastvisit=3D1137987506; bblastvisit=3D1119689584; bbsessionhash=3D459be9994d399f34f77a72320b48203c; bbthread_lastview=3D18660539a878ce8c1d3c4b58eb661985a-3-%7Bi-1984_i-11416= 64362_i-2385_i-1141669965_i-2401_i-1141671043_%7D; bbforum_view=3D914767cf6ea023144ed3f3764dac98eca-1-%7Bi-32_i-1141670455_%= 7D Host: www.spieleplanet.ch Keep-Alive: 300 Pragma: no-cache User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7.8) Gecko/20050511 mod_security-message: Access denied with code 500. Error parsing POST parameters: Error normalizing parameter value: Invalid URL encoding detected: invalid characters used mod_security-action: 500 154 ajax=3D1&ajax_lastpost=3D1141671043&message=3Dsdsdsdfsfsdfdsf%20%u20AC&wy= siwyg=3D0&signature=3D1&fromquickreply=3D1&s=3D&do=3Dpostreply&t=3D2401&p= =3Dwho%20cares&parseurl=3D1&s=3D HTTP/1.1 500 Internal Server Error Vary: * Last-Modified: Wed, 09 Jun 2004 23:18:33 GMT ETag: "f5c3e0-203b2-40c79ac9" Accept-Ranges: bytes Content-Length: 132018 Connection: close Content-Type: image/jpeg #########################################################################= ########################## same thing with postedit.php, so i try to make a rule in httpd.conf: SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" pass,nolog and <LocationMatch "/newreply.php"> SecFilterSelective THE_REQUEST "\.*[\xu20AC].*\" pass,nolog </LocationMatch> Can anyone help me with this rule, i try anything i know, but both wont work atm. Maybe its a problem with the ajay function, but i dont have any clue how to solve it. MFG Thomas Behrend |
|
From: Terry D. <tdo...@na...> - 2006-03-14 11:40:49
|
Thomas Behrend wrote: [snip] > > SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" pass,nolog > This rule will esssentially do nothing at all. pass allows you to log matching entries with actions such as 'log,pass'. Using it on its own or with nolog will do nothing. To explicitly accept a request based on a match, you need to use the allow action: SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" allow,nolog Of course, you'll have to be careful where exaclty this rule appears. If you put it at the top, then anyone can subvert the reset of your rule set by simply inserting a euro character in their request. It's good practice to put your allow rules right at the bottom of the list. Of course, if one of your other rules triggering a 'deny' on similar content, then the request will never reach this rule and you'll have to figure out some sort of chaining. I can't comment on the regular expression itself, however. I run a vBulletin 3.0 system myself and I curious as to what you're trying to match with the \|+ and \| at either end of it. Terry. |
|
From: Thomas B. <web...@sp...> - 2006-03-14 15:04:45
|
Terry Dooher wrote: > > This rule will esssentially do nothing at all. pass allows you to log > matching entries with actions such as 'log,pass'. Using it on its own or > with nolog will do nothing. > > To explicitly accept a request based on a match, you need to use the > allow action: > > SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" allow,nolog > > Of course, you'll have to be careful where exaclty this rule appears. If > you put it at the top, then anyone can subvert the reset of your rule > set by simply inserting a euro character in their request. It's good > practice to put your allow rules right at the bottom of the list. Of > course, if one of your other rules triggering a 'deny' on similar > content, then the request will never reach this rule and you'll have to > figure out some sort of chaining. > > I can't comment on the regular expression itself, however. I run a > vBulletin 3.0 system myself and I curious as to what you're trying to > match with the \|+ and \| at either end of it. > > Terry. > > > It was one of many trys to get it working, but none worked, not allow, not pass, no QUERY_STRING rule, realy noting. The only workaround for it was to deactivate the CheckURLEncoding option. For now its working without postscanning, but i will try it without ajax, maybe i have more luck without it. MFG Thomas Behrend |
|
From: Ivan R. <iv...@we...> - 2006-03-14 15:12:13
|
Thomas Behrend wrote:
> Terry Dooher wrote:
>
>> This rule will esssentially do nothing at all. pass allows you to log
>> matching entries with actions such as 'log,pass'. Using it on its own or
>> with nolog will do nothing.
>>
>> To explicitly accept a request based on a match, you need to use the
>> allow action:
>>
>> SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" allow,nolog
>>
>> Of course, you'll have to be careful where exaclty this rule appears. If
>> you put it at the top, then anyone can subvert the reset of your rule
>> set by simply inserting a euro character in their request. It's good
>> practice to put your allow rules right at the bottom of the list. Of
>> course, if one of your other rules triggering a 'deny' on similar
>> content, then the request will never reach this rule and you'll have to
>> figure out some sort of chaining.
>>
>> I can't comment on the regular expression itself, however. I run a
>> vBulletin 3.0 system myself and I curious as to what you're trying to
>> match with the \|+ and \| at either end of it.
>>
>> Terry.
>>
> It was one of many trys to get it working, but none worked, not allow,
> not pass, no QUERY_STRING rule, realy noting. The only workaround for it
> was to deactivate the CheckURLEncoding option. For now its working
> without postscanning, but i will try it without ajax, maybe i have more
> luck without it.
It didn't work because:
1) URL-encoding is checked before any rules are run.
2) You used THE_REQUEST as the target:
SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" pass,nolog
and the problem was in the request payload (POST_PAYLOAD).
BTW, please subscribe to the list to have your posts go directly
through.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|
|
From: Ivan R. <iv...@we...> - 2006-03-14 14:01:51
|
Thomas Behrend wrote:
> Since the installation of the latest vbulletin version, we have some
> trouble with the =80 (%u20AC).
>
> ...
>
> mod_security-message: Access denied with code 500. Error parsing POST
> parameters: Error normalizing parameter value: Invalid URL encoding
> detected: invalid characters used
>
> ...
>
> ajax=3D1&ajax_lastpost=3D1141671043&message=3Dsdsdsdfsfsdfdsf%20%u20AC
The above (%u20AC) is not a valid URL-encoded character. I suspect
this is a programming error in vbulletin. I also suspect they
should encode the character like this: %25u20AC.
You can allow it simply by turning URL-encoding validation off:
SecFilterCheckURLEncoding Off
--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|
|
From: Thomas B. <web...@sp...> - 2006-03-14 14:56:03
|
Ivan Ristic wrote: > > > The above (%u20AC) is not a valid URL-encoded character. I suspect > this is a programming error in vbulletin. I also suspect they > should encode the character like this: %25u20AC. > > You can allow it simply by turning URL-encoding validation off: > > SecFilterCheckURLEncoding Off > I deactivated this Option for testing, and it worked. But i hoped someone know how to set a filter rule for this problem. Anyway, for now its working well, i dont think its very risky to deactivate this option. Thanks for help. MFG Thomas Behrend |
Thanks for helping keep SourceForge clean.
X