nx_extract cannot generate multiple arguments

GoogleCodeExporter commented 8 years ago

Looks like nx_extract on 0.46-1 release cannot parse the following

2012/05/30 21:04:58 [error] 58822#0: *47 NAXSI_FMT: 
ip=127.0.0.1&server=domain.com&uri=/attachments/do-upload.json&total_processed=6
&total_blocked=5&zone0=BODY|NAME&id0=1310&var_name0=content_data[thread_id]&zone
1=BODY|NAME&id1=1311&var_name1=content_data[thread_id]&zone2=|NAME&id2=1500&var_
name2=upload, client: 127.0.0.1, server: domain.com, request: "POST 
/attachments/do-upload.json?hash=c2f7f734bcFF3b5af4FFa31cf6cf3ac8&content_type=p
ost HTTP/1.1", host: "domain.com"

Original issue reported on code.google.com by unexplai...@gmail.com on 30 May 2012 at 9:10

GoogleCodeExporter commented 8 years ago

Also looks other than .asp* and .ph* extension not supported in rule 1500?
I have tried to white listed above by
Editing the core rules :
MainRule "rx:.ph*|.asp*|.json" "msg:asp/php file upload!" "mz:FILE_EXT" 
"s:$UPLOAD:8" id:1500; 
and on my local rules :
BasicRule wl:1500 "mz:$URL:/attachments/do-upload.json";
but throwing the following error :
Performing sanity check on nginx configuration:
nginx: [emerg] naxsi internal error in wlr_identify. in 
/usr/local/etc/nginx/nginx.conf:80
nginx: [emerg] WhiteList Hash building failed in 
/usr/local/etc/nginx/nginx.conf:80
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

Original comment by unexplai...@gmail.com on 30 May 2012 at 9:36

GoogleCodeExporter commented 8 years ago

Another examples naxsi generating confusing rules for above NAXSI_FMT :

#1 hits on rule 1310 ([, possible js) on url /attachments/do-upload.json from 1 
different peers
#BasicRule wl:1310 "mz:$URL:/attachments/do-upload.json|$BODY_VAR|NAME";
#1 hits on rule 1311 (], possible js) on url /attachments/do-upload.json from 1 
different peers
#BasicRule wl:1311 "mz:$URL:/attachments/do-upload.json|$BODY_VAR|NAME";

$BODY_VAR|NAME what are this?, i have tried :
BasicRule wl:1310 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:NAME";
BasicRule wl:1311 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:NAME";
BasicRule wl:1310 
"mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
BasicRule wl:1311 
"mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
BasicRule wl:1310 
"mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[]" ;
BasicRule wl:1311 
"mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[]" ;
BasicRule wl:1310 
"mz:$URL:/attachments/do-upload.json|$ARGS_VAR:content_data[thread_id]" ;
BasicRule wl:1311 
"mz:$URL:/attachments/do-upload.json|$ARGS_VAR:content_data[thread_id]" ;
BasicRule wl:1310 
"mz:$URL:/attachments/do-upload.json|$ARGS_VAR:content_data[]" ;
BasicRule wl:1311 
"mz:$URL:/attachments/do-upload.json|$ARGS_VAR:content_data[]" ;
BasicRule wl:1310 "mz:$URL:/attachments/do-upload.json" ; //Error - Feature 
request to disable specific rules on specific uri & filenames
BasicRule wl:1311 "mz:$URL:/attachments/do-upload.json" ; //Error - Feature 
request to disable specific rules on specific uri & filenames

None of them works

Original comment by unexplai...@gmail.com on 31 May 2012 at 7:15

GoogleCodeExporter commented 8 years ago

Hi,

There are a few bugs in the whitelist generation function.
I'm rewriting it from scratch, should be done by the end of the week.

Original comment by sephirot...@gmail.com on 31 May 2012 at 8:32

Changed state: Started

GoogleCodeExporter commented 8 years ago

Hello,

While Seb is rewritting the WL generation, I wanted to look at your error with 
rules on FILE_EXT. 

The first issue is that your whitelist is not precise enough. Enough when it's 
obvious, naxsi need to be told about that :

BasicRule wl:1500 "mz:$URL:/attachments/do-upload.json|FILE_EXT";

Then, this was - anyway - broken, now it's fixed in SVN, please let me know if 
it is ok for you !

Original comment by ori...@gmail.com on 3 Jun 2012 at 5:03

GoogleCodeExporter commented 8 years ago

Yes thanks, now it the rules may applied but strange things is the BODY|NAME 
still appear :

2012/06/03 19:11:32 [error] 77806#0: *1 NAXSI_FMT: 
ip=127.0.0.1&server=domain.com&uri=/attachments/do-upload.json&total_processed=1
&total_blocked=1&zone0=BODY|NAME&id0=1310&var_name0=content_data[thread_id]&zone
1=BODY|NAME&id1=1311&var_name1=content_data[thread_id], client: 127.0.0.1, 
server: domain.com, request: "POST 
/attachments/do-upload.json?hash=adfe77e3da0ad6e95a288d2fed96acb6&content_type=p
ost HTTP/1.1", host: "domain.com"

I have already applied this rules :
BasicRule wl:1310 
"mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
BasicRule wl:1311 
"mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
BasicRule wl:1310 
"mz:$URL:/attachments/do-upload.json|$ARGS_VAR:content_data[thread_id]" ;
BasicRule wl:1311 
"mz:$URL:/attachments/do-upload.json|$ARGS_VAR:content_data[thread_id]" ;
BasicRule wl:1500 "mz:$URL:/attachments/do-upload.json|FILE_EXT";

And naxsi still complained, does this is also reside on the naxsi core which 
currently being work on with seb?

Original comment by unexplai...@gmail.com on 3 Jun 2012 at 7:15

GoogleCodeExporter commented 8 years ago

any news about the new generator?

Original comment by unexplai...@gmail.com on 9 Jun 2012 at 8:50

GoogleCodeExporter commented 8 years ago

Hi, it has been fixed in SVN, can you please give it a try ?
It will be included in 0.48 (which is late :p)

Original comment by ori...@gmail.com on 16 Jul 2012 at 4:00

GoogleCodeExporter commented 8 years ago

I've been bitten by a similar bug (I call this a bug as I simply used naxsi's 
Wiki example) and solved it using the following syntax:

BasicRule wl:1000 "mz:URL|$URL:/wp/wp-admin/update-core.php";

Original comment by emile.he...@gmail.com on 30 Dec 2012 at 11:26

GoogleCodeExporter commented 8 years ago

Original comment by ori...@gmail.com on 13 Mar 2013 at 8:57

Changed state: Verified

ReJeCtAll / naxsi

nx_extract cannot generate multiple arguments #32