Thread: [mod-security-users] I get requests like:
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Sub Z. <Su...@su...> - 2006-03-20 06:03:39
|
Hi,
I get requests like:
/forum/index.php?PHPSESSID=a93e99e5fddf254eeab23bd5b9725579; HTTP/1.1
/frm/index.php?PHPSESSID=234f4650986e927142bf23c33d807ee6;topic=137.new
HTTP/1.1
/frm/index.php?PHPSESSID=234f4650986e927142bf23c33d807ee6;board=10.0
HTTP/1.1
/forum/index.php?PHPSESSID=77d5ed1dfdb8dc18e8e3b61ff7896c1c;topic=9.new
HTTP/1.1
/forum/index.php?PHPSESSID=44739390b8bc8980c9fccf0606fb5c79;topic=9.new
HTTP/1.1
and they are all blocked with:
Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
ARG("PHPSESSID")
How do I add ; to the argument seperators?
Awaiting answers. Have a nice day.
--
SubZero
|
|
From: Tom A. <tan...@oa...> - 2006-03-20 15:49:58
|
Sub Zero wrote:
> Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
> ARG("PHPSESSID")
>
> How do I add ; to the argument seperators?
Put in the character set "!^[0-9a-f;]*$"
Tom
|
|
From: Sub Z. <Su...@su...> - 2006-03-20 16:16:51
|
>> Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
>> ARG("PHPSESSID")
>>
>> How do I add ; to the argument seperators?
>
> Put in the character set "!^[0-9a-f;]*$"
Is this an internal bug of mod_security? Can't I define ; as an argument
seperator like &?
Tom, you can see that adding ; to the characterset will not fix those issues
(because of other parameters in the url like board=10.0 or topic=9.new or
etc) but open more PHPSESSID security vulnerabilities.. I also do not want
to extend a-f to another characterset...
|
|
From: Tom A. <tan...@oa...> - 2006-03-20 17:00:19
|
Sub Zero wrote:
>>>Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
>>>ARG("PHPSESSID")
>>>
>>>How do I add ; to the argument seperators?
>>
>>Put in the character set "!^[0-9a-f;]*$"
>
>
> Is this an internal bug of mod_security? Can't I define ; as an argument
> seperator like &?
>
> Tom, you can see that adding ; to the characterset will not fix those issues
> (because of other parameters in the url like board=10.0 or topic=9.new or
> etc) but open more PHPSESSID security vulnerabilities.. I also do not want
> to extend a-f to another characterset...
I see. I hadn't realized semicolons were valid separators. It would
seem that the mod_security argument parsing needs to be modified, as
semicolons appear to be RFC-compliant and W3C-recommended separators.
http://www.freesoft.org/CIE/RFC/1808/index.htm
http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2
http://www.w3.org/QA/2005/04/php-session
Tom
|
|
From: Terry D. <tdo...@na...> - 2006-03-20 18:07:25
|
Tom Anderson wrote: > I see. I hadn't realized semicolons were valid separators. It would > seem that the mod_security argument parsing needs to be modified, as > semicolons appear to be RFC-compliant and W3C-recommended separators. > > http://www.freesoft.org/CIE/RFC/1808/index.htm > http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2 > http://www.w3.org/QA/2005/04/php-session I was reading much the same docs prior to posting a "Why are you using a ; as a query separator?" response... The SGML encoding headache is a fair point. Storing the text "&" inside, for instance, an XML file that is parsed and then displayed in a browser can leave you having to double escape it as "&amp;amp;". (I believe there are several support groups who help people recover from this sort of trauma) 1.9.2 seems to hardcode the "&" character in a couple of places. (is the separator normalised at some point?) Is it possible to defer to an outside authority for the accepted separator characters by the time mod_sec has hold of the query? If it's possible to alternate between characters in a single request, I imagine that this could be used to evade certain rules in much the same way as the v0/v1 cookie parsing pitfall: scripts/script.php?first=1&second=2;payload=evilcode&third=3... Terry. > Tom > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
|
From: Ivan R. <iv...@we...> - 2006-03-20 21:07:32
|
Sub Zero wrote:
>>> Access denied with code 406. Pattern match "!^[0-9a-f]*$" at
>>> ARG("PHPSESSID")
>>>
>>> How do I add ; to the argument seperators?
>> Put in the character set "!^[0-9a-f;]*$"
>
> Is this an internal bug of mod_security? Can't I define ; as an argument
> seperator like &?
I wouldn't call it a bug. It's more like a missing feature.
> Tom Anderson wrote:
>
> I see. I hadn't realized semicolons were valid separators. It would
> seem that the mod_security argument parsing needs to be modified, as
> semicolons appear to be RFC-compliant and W3C-recommended separators.
>
> http://www.freesoft.org/CIE/RFC/1808/index.htm
BTW, the RFC you cited does not define the contents of the
query parameter. The semicolons refer to path parameters, which
are different (and, as far as I know, not used in HTTP).
> http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2
Recommendations like that are seldom helpful. Standards
need to be *very* clear about encodings, with no room
for interpretation. Otherwise we get in a mess, like,
for example, with the cookies specifications.
Tom Anderson wrote:
> 1.9.2 seems to hardcode the "&" character in a couple of places.
It does. I'll probably add support this feature in the
next release.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|
Thanks for helping keep SourceForge clean.
X