[Owasp-modsecurity-core-rule-set] Access denied code 403 (Multiple Parameters with the same Name)

Wed Dec 29 11:05:11 EST 2010

Sounds like upgrading is the best option.  

Thanks Ryan.

Josue del Valle

-----Original Message-----
From: Ryan Barnett [mailto:RBarnett at trustwave.com] 
Sent: Wednesday, December 29, 2010 10:58 AM
To: Josue Del Valle; owasp-modsecurity-core-rule-set at lists.owasp.org
Cc: mod-security-users at lists.sourceforge.net
Subject: Re: [Owasp-modsecurity-core-rule-set] Access denied code 403 (Multiple Parameters with the same Name)

From:  Josue Del Valle <jodelvalle at braishfield.com>
Date:  Wed, 29 Dec 2010 09:47:24 -0600
To:  "owasp-modsecurity-core-rule-set at lists.owasp.org"
<owasp-modsecurity-core-rule-set at lists.owasp.org>
Cc:  "mod-security-users at lists.sourceforge.net"
<mod-security-users at lists.sourceforge.net>
Subject:  [Owasp-modsecurity-core-rule-set] Access denied code 403
(Multiple Parameters with the same Name)

>Hi,
> 
>Our developer has a form which submits 2 inputs with the same name.
>There are 2 check boxes and if he select one checkbox and submit
>everything works fine but if he select both checkboxes he gets an access
>denied code 403 error.
> 
>Can anyone explain how to create an exception so this doesn¹t happen.  I
>have attached the error log.
> 
> Please be as detail as possible because I know little about mod_security.
> 
>Thanks in advance for your help.
> 
>Regards,
> 
> 
>Josue del Valle
> 
>
> 

Josue,
I would suggest that you upgrade your OWASP CRS package.  You are using
v2.0.1 and the current version is 2.0.10.  As to your specific issue, the
old CRS that you are using issued alerts for HTTP Parameter Pollution
(HPP) when there are more than 1 parameters with the same name.  This was
a crude attempt at detection as, as you have shown, there are still
legitimate scenarios where an app may have multiple params with the same
name.  In newer CRS, we have moved the HPP rules to the experimental rules
files (instead of in the 40 generic attacks file as it is with your
version).  Additionally, the newer HPP rules don't alert when multiple
params have the same name, but instead attempts to concat the payloads
into a new TX variable that is then inspected by the other attack rules.

If you can't upgrade CRS at this time, I would suggest that you just
comment out that rule.

Hope this helps,
Ryan 

Coverage cannot be assumed to be bound, altered or canceled without confirmation from an authorized representative of Braishfield Associates, Inc.

DISCLAIMER:

CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the information contained in this communication, including attachments is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Insurance coverage can not be bound, amended or changed via an e-mail message without knowledge or consent from the insuring carrier. If you have received this communication in error please notify us by telephone immediately at (407) 825-9911 or e-mail disclaimer at braishfield.com. Thank you.

Loss runs are now available online to contracted agents.  Please visit our web portal and utilize this efficient functionality.