13 Apr 2011 16:59
Re: QUERY_STRING parsing error with some clients
Jonathan Marcil <jonathan.marcil <at> pheromone.ca>
2011-04-13 14:59:02 GMT
2011-04-13 14:59:02 GMT
Yes sure. In fact I'm using ARGS_GET. If I do SecRule ARGS_GET:amp;myparam2 it works. I'm seeing a lot of entry from bots with that behavior. Since I'm in a positive security model for my project, it's kind of important. Maybe also the bug comes from the website itself, but one of the reason that I use ModSecurity is that I can't modify the website in question. Thanks, - Jonathan On 11-04-12 06:41 PM, Ryan Barnett wrote: > Jonathan, > Are you using any rules that are accessing specific ARGS by name? If not then this should not really matter. > > On Apr 12, 2011, at 6:17 PM, "Jonathan Marcil" <jonathan.marcil <at> pheromone.ca> wrote: > >> Hi everyone, >> >> on my Linux/Apache webserver, I get some requests with & of this form : >> "GET /mypath?myparam1=A&myparam2=B HTTP/1.1" >> >> I know that the request is malformed and the clients are the problem, >> but Apache is responding correctly to the request. >> >> ModSecurity is parsing this with "amp;myparam" being the name of the >> parameter. I saw that from a debug output : >> Adding request argument (QUERY_STRING): name "amp;myparam2", value "B" >> >> I've tried some modsecurity configurations, mostly htmlEntityDecode in >> phase 1 and 2 without any luck. In fact I'm not sure if I can apply a >> global transformation at this level that will stick for the QUERY_STRING >> parsing. >> >> I have a workaround that is to write my rules two times : with ARGS and >> the QUERY_STRING directly. But this is impractical and is currently >> making me crazy. >> >> Someone have a solution? >> >> Thanks, >> >> - Jonathan >> >> >> >> ------------------------------------------------------------------------------ >> Forrester Wave Report - Recovery time is now measured in hours and minutes >> not days. Key insights are discussed in the 2010 Forrester Wave Report as >> part of an in-depth evaluation of disaster recovery service providers. >> Forrester found the best-in-class provider in terms of services and vision. >> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo >> _______________________________________________ >> mod-security-users mailing list >> mod-security-users <at> lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php
RSS Feed