doudiewen9435 2014-10-30 17:24
浏览 54

删除或重复的非单词字符,如HTML textarea中的换行符,会导致modsecurity出错

I need a little help with the removal or repetitive non-word characters like line breaks in a HTML textarea that cause errors in modsecurity. I'm making a simple HTML form with a textarea that visitors can fill in:

  Your question:<br>
  <textarea name="question" cols=100 rows=8></textarea>

Next, I'm using gen_validatorv4.js to validate the input

frmvalidator.addValidation("question","maxlen=800", "Max length is 800 characters");

The form action on submit is a script contact-form-handler.php which does the following:

$question = $_POST['question'];

My problem is that when the customer enters multiple line breaks (Enter, Return) Modsecurity returns an error that access to contact-form-handler.php is denied: 

Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:bericht. [file "/usr/share/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "155"] [id "960024"] [rev "2.2.5"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "\x0d\x0a\x0d\x0a"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1414686989441629 117554 (- - -)
Stopwatch2: 1414686989441629 117554; combined=91683, p1=11515, p2=79432, p3=0, p4=0, p5=731, sr=815, sw=5, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache/2.2.22 (Debian)

I tried with a second (dummy) textarea that isn't even processed in the php script, nevertheless modsecurity blocks access to the script. When the multiple line breaks are removed, the form is successfully processed and sent with msmtp.

Rather than alleviating the modsecurity rules (don't know how to do that either) I feel more like removing multiple line breaks (and spaces) in the HTML contact form before it is processed by the php script. I found some guidelines to do so with the following javascript format:

txt = txt.replace(/(
|
|)/gm," ");

but I miss the knowledge to feed "question" into this command and then make it available for the php command $question = $_POST['question'];

Can anyone help?

  • 写回答

2条回答 默认 最新

  • dongwei1855 2014-10-31 08:00
    关注

    do not try to remove the line breaks. That is a hack and does not address the problem. To address the problem you need to make custom changes to the modsecurity owasp core rules. If you do not know how to do this talk to your administrator. If you want to learn about modsecurity buy https://www.feistyduck.com/books/modsecurity-handbook/

    Here is what we do for example - we change the regex from "\W{4,}" to "\W{6,}" by disabling the rule and then adding it again:

    SecRuleRemoveByID 960024
SecRule ARGS "\W{6,}" "phase:2,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,block,id:'960024',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"

    But maybe you want to disable the rule just for this specific URL:

    SecRule REQUEST_URI "@beginsWith /your/url/to/the/php/script" "phase:1,t:none,pass,id:'5000',nolog,ctl:ruleRemoveById=960024"

    Hope this helps, Ronald

    评论

报告相同问题?

悬赏问题

  • ¥15 stm32代码移植没反应
  • ¥15 matlab基于pde算法图像修复,为什么只能对示例图像有效
  • ¥100 连续两帧图像高速减法
  • ¥15 组策略中的计算机配置策略无法下发
  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据
  • ¥20 给自己本科IT专业毕业的妹m找个实习工作
  • ¥15 用友U8:向一个无法连接的网络尝试了一个套接字操作,如何解决?
  • ¥30 我的代码按理说完成了模型的搭建、训练、验证测试等工作(标签-网络|关键词-变化检测)
  • ¥50 mac mini外接显示器 画质字体模糊