validate_quotes and flag_invalid_quoting

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://www.modsecurity.org

Apache License 2.0

8.22k stars 1.6k forks source link

validate_quotes and flag_invalid_quoting #41

Closed kearva closed 11 years ago

kearva commented 11 years ago

validate_quotes in apache2/msc_multipart.c will set flag_invalid_quoting if a filename contains a single quote.

A request with the following header will set the flag_invalid_quoting.

Content-Disposition: form-data; name="userfile"; filename="AS'4360.pdf"

This is header is correct and valid according to RFC 2045, RFC 2183 and RFC 822.

brenosilva commented 11 years ago

Yes. We expected to see false-positives with this flag. However this is necessary since we had cases where people try to attack Apps sending SQLi data inside the filename=.

We cannot remove this checking because the multipart code is not being checked by RuleEngine. This is work mod_security was designed. You could try add some exceptions to work with this false-positive.

brenosilva commented 11 years ago

I'm adding new variables MULTIPART_FILENAME and MULTIPART_NAME. I think we can update the CRS to use those variables and remove this checking in the future

brenosilva commented 11 years ago

Done. However before remove this checking we must update CRS and see if the rules will do the job. I will check with Ryan (CRS lead) if he can update it for 2.7.3 or not.