search

dahebolangkuan / naxsi

Automatically exported from code.google.com/p/naxsi
Other
0 stars 2 forks source link

nx_extract or naxsi doesn't parse square brackets correctly #46

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Steps to reproduce the problem:
1. Create website with input name with square brackets
<input id="user_param" name="user[param]" />

2. Generate alerts using some forbdden string ")(;", this caused logs such as:
2012/10/09 11:12:38 [error] 19927#0: *1 NAXSI_FMT: 
ip=192.168.0.4&server=example.com&uri=/form&total_processed=2&total_blocked=2&zo
ne0=BODY&id0=1010&var_name0=user%5bparam%5d&zone1=BODY&id1=1308&var_name1=user%5
bparam%5d, client: 192.168.0.4, server: example.com, request: "POST /login 
HTTP/1.1", host: "example.com", referrer: "http://example.com/form"

3. On WEB-interface (nx_extract) "generate whitelist" gives rule whit 
"human-friendly" parametr name:
# total_count:2 (7.39%), peer_count:1 (100.0%) | parenthesis
BasicRule wl:1308 "mz:$URL:/form|$BODY_VAR:user[param]";

4. When adding this rule to rules in nginx rules, this rule doesn't work. There 
are still the same alerts.

5. Rule start to work after change name of argument in rules, from shown above, 
to this (as is shown in error logs):
BasicRule wl:1308 "mz:$URL:/form|$BODY_VAR:user%5bparam%5d";

What is the expected output? What do you see instead?
I'm not sure, I see two possibilities to resolve this issue:
-nx_extract (or nx_intercept) should on web-interface display rules as 
"user%5bparam%5d"
-naxsi should interpret the record "user[param]"

What version of the product are you using? On what operating system?
Ubuntu precise 12.04, nginx 1.1.19 as reverse proxy, naxsi 0.48

Original issue reported on code.google.com by ja.luc...@zhr.pl on 9 Oct 2012 at 10:12

GoogleCodeExporter commented 9 years ago 
Hi !

Thanks for reporting the issue.
We are actually rewritting the whole web interface / interception
mechanism (for 0.49), and this version will include the fix.
I'll try to backport it to current svn version as well.

Thanks for the bug report ;)
ps: seems your way to fix it is right

Original comment by ori...@gmail.com on 11 Oct 2012 at 11:10

GoogleCodeExporter commented 9 years ago 
Hello,

This was reported in 0.49 as expected.

Original comment by ori...@gmail.com on 7 Jan 2013 at 6:02