[Owasp-modsecurity-core-rule-set] [mod-security-users] base rules phpids

[Timothy Legge]

Hi

I have tracked down in the regex what matches.  If I understand regex
at all it seems to be matching on

(?:\w{2,}\s*=\s*\d+[^&\w]\w+)

which matches a word of two or more characters followed by an equals
sign followed by digits.

So selections=5-O matches but selections="5-O" would not.

Should I simply tell our web developers that the values should have
quotes around them or is there a bigger issue that I am missing?

Tim


Hi

On Wed, Feb 17, 2010 at 10:02 AM, Ryan Barnett <Ryan.Barnett at breach.com> wrote:
> If you look in the audit log for transaction, the "data" field in the Message line will tell you what portion of the payload matched the regex.

It is matching on:

[data "selections=5-O"] and [data "selections=5-o"]
Message: Pattern match
"(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)"
at REQUEST_BODY. [file
"/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "123"] [id "phpids-23"] [msg "Detects JavaScript
location/document property access and window access obfuscation"]
[data "selections=5-O"] [severity "CRITICAL"] [tag "WEB_ATTACK"]
Message: Pattern match
"(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)"
at REQUEST_BODY. [file
"/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_phpids_filters.conf"]
[line "123"] [id "phpids-23"] [msg "Detects JavaScript
location/document property access and window access obfuscation"]
[data "selections=5-o"] [severity "CRITICAL"] [tag "WEB_ATTACK"]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file
"/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"]
[line "41"] [msg "Transactional Anomaly Score (score 40): Detects
JavaScript location/document property access and window access
obfuscation"]