search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.24k stars 1.61k forks source link

Look more at base64 decoding #309

Closed rcbarnett-zz closed 11 years ago

rcbarnett-zz commented 11 years ago

MODSEC-156: Apache seems to use RFC-4648 base64, but HTTP (at least Basic Auth) is supposed to use the more relaxed MIME implementation (RFC-2045) which allows ignoring invalid characters.

While the current base64 decoding is fine for parsing fields, it is not adequate for normalizing. Maybe we do need to have another base64 decode routine that will ignore invalid characters?

See:

http://blog.mindedsecurity.com/2010/04/fooling-b64encodepayload-on-wafs-and.html http://blog.modsecurity.org/2010/04/impedance-mismatch-and-base64.html

rcbarnett-zz commented 11 years ago

Original reporter: brectanus

rcbarnett-zz commented 11 years ago

bpinto: I've created the new decodeBase64Ext tfn function