[Owasp-modsecurity-core-rule-set] WHY Rule "950109" matches for ARG "passed_id=81" ?

Luís Miguel dos Reis Oliveira e Silva luis.silva at axiomasoft.pt
Tue Nov 2 12:14:10 EDT 2010


Hello,

I'm sorry to bring this up again, but my questions didn't get an answer, so I still thing these rules to be prone to false positives.

As a new release of the rules is comming out soon, I though I should bring this up for discussion again.

Shouldn't rules 950107, 950109 and 950108 be rewriten to be something more like this: "\%[0-9a-fA-F]{2}(?![0-9a-fA-F])|\%u[0-9a-fA-F]{4}(?![0-9a-fA-F])"? Like they are now, "%1" would match and, unless I missed the point on what the rules should do, this would be a false positive, am I right?

Thanks and sorry for all the noise.
Luís Silva

Quoting "Luís Silva" <luis.silva at axiomasoft.pt>:

> Hello,
>
> On Wed, 2010-09-08 at 10:16 -0500, Ryan Barnett wrote:
>
>> On 9/8/10 10:44 AM, "Dirk Caspari" <d.caspari at eurodata.de> wrote:
>>
>> > --411a3f76-B--
>> > GET /src/read_body.php?mailbox=INBOX&passed_id=81&startMessage=1 HTTP/1.1
>> > Host: xxx.xxxxxxxx.de
>> > User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.9.2.3)
>> > Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3
>> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> > Accept-Language: de-DE,de;q=0.8,de-de;q=0.6,en-us;q=0.4,en;q=0.2
>> > Accept-Encoding: gzip,deflate
>> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> > Keep-Alive: 115
>> > Connection: keep-alive
>> > Referer:
>> > 
>> https://xxx.xxxxxxxxx.de/src/right_main.php?PG_SHOWALL=0&sort=0&startMessage=1[1]
>> > &mailbox=INBOX
>> > Cookie: xxxxx
>> >
>> >
>> > --411a3f76-H--
>> > Message: Pattern match "\%(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4}" at
>> > ARGS:passed_id. [file
>> > 
>> "/etc/apache2/modsecurity/rules-enabled/modsecurity_crs_20_protocol_violations
>> > .conf"]
>> > [line "185"] [id "950109"] [rev "2.0.8"] [msg "Multiple URL Encoding
>> > Detected"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/EVASION"]
>> > Message: Warning. Operator LT matched 20 at TX:inbound_anomaly_score.
>> > [file
>> > 
>> "/etc/apache2/modsecurity/rules-enabled/modsecurity_crs_60_correlation.conf"]
>> > [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=,
>> > XSS=): Multiple URL Encoding Detected !
>> > %{matched_var_name}=%{matched_var} !"]
>> >
>> > Thanks.
>> >   D I R K
>> >
>> >
>> >
>>
>> Hmm.. Looks like the previous version in SVN was missing the parentheses in
>> the RegEx.  Use this latest version -
>>
>> http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_r[2]
>> ules/modsecurity_crs_20_protocol_violations.conf?revision=1535
>>
>>
>
> The regular expression in rules 950107, 950109 and 950108 shouldn't
> instead be something like "\%[0-9a-fA-F]{2}(?![0-9a-fA-F])|\%
> u[0-9a-fA-F]{4}(?![0-9a-fA-F])"?
> The expression provided will still match for example "%1" and, unless I
> missed the point on what the rules should do, this would be a false
> positive.
>
>>
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set[3]
>>
>
> Thanks,
> Luís
>


Links:
------
[1] https://xxx.xxxxxxxxx.de/src/right_main.php?PG_SHOWALL=0&amp;sort=0&amp;startMessage=1
[2] http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/base_r
[3] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20101102/75272c4f/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list