[Modsecurity] parameters in LocationMatch

Holm Kapschitzki holm at x-provi.de
Sat Apr 21 15:25:08 EDT 2007 

Hello,

I dont understand, if its possible to use something like the following 
in a LocationMatch directive. I had to make some excludes. For example:

you say in exclude.conf:

#PhpBB posting
<LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
SecFilterRemove 300013
</LocationMatch>

ok, there is the query string "?name=PNphpBB2&file=posting&mode=reply.*" 
It seems to work.

At the other side this not working for me:

"/admin/content_manager.php?action=edit&coID=10"

Why?  Is it possible to use any query string in a LocationMatch directive?

For example this isnt working, too:

<LocationMatch "/newreply.php?do=postreply&t=.*">
SecFilterRemove 300018
</LocationMatch>

Thats the mod_sec log:

==dd35fa36==============================
Request: example.com 91.0.88.xxx - - [18/Apr/2007:10:20:21 +0200] "POST 
/newreply.php?do=postreply&t=13 HTTP/1.1" 200 0 
"http://example.com/newreply.php?do=postreply&t=13" "Mozilla/4.0 
(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)" 
wd9NElUKxY8AACawUlMAAAAR "-"
Handler: fcgid-script
----------------------------------------
POST /newreply.php?do=postreply&t=13 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd.ms-powerpoint, 
application/vnd.ms-excel, application/msword, */*
Referer: http://example.com/newreply.php?do=postreply&t=13
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 
1.1.4322)
Host: example.com
Content-Length: 562
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: vblastvisit=1160640450; vblastactivity=0; 
vb3_lastvisit=1160767645; vb3_lastactivity=0; vb3_userid=6; 
vb3_password=cc30d26714e50394e85d332c20886f74; 
vb3_forumpwd=a554eff09b878fba91ab6e280c636d88a-4-%7Bi-164_s-32-.fc7d6804b3f6619af0cff8fa3ff8434e._i-78_s-32-.4f26f1ec7006aa0efdb59b319e41d761._i-39_s-32-.22a465c7c6146799a24324d4e28634e4._i-57_s-32-.f0026f0c01de9be64933ec949ccb1702._%7D; 
vb3_styleid=7; vb3_sessionhash=41d67a1ea19f183040ea8b1c1e1c3a6e
mod_security-message: Warning. Pattern match "!/imp/login\\.php" at 
HEADER("Referer") [id "300018"] [rev "3"] [msg "Generic PHP code 
injection protection via ARGS"] [severity "CRITICAL"]

562
title=&message=something...

HTTP/1.0 301
Cache-Control: private
Pragma: private
Location: http://example.com/showthread.php?p=55266#post55266
Connection: close
Content-Type: text/html; charset=ISO-8859-1
--dd35fa36--

Only this is working:

<LocationMatch "/newreply.php>
SecFilterRemove 300018
</LocationMatch>

greets Holm

More information about the Modsecurity mailing list