From: Josue Del Valle <[email protected]> Date: Wed, 29 Dec 2010 09:47:24 -0600 To: "[email protected]" <[email protected]> Cc: "[email protected]" <[email protected]> Subject: [Owasp-modsecurity-core-rule-set] Access denied code 403 (Multiple Parameters with the same Name)
>Hi, > >Our developer has a form which submits 2 inputs with the same name. >There are 2 check boxes and if he select one checkbox and submit >everything works fine but if he select both checkboxes he gets an access >denied code 403 error. > >Can anyone explain how to create an exception so this doesn¹t happen. I >have attached the error log. > > Please be as detail as possible because I know little about mod_security. > >Thanks in advance for your help. > >Regards, > > >Josue del Valle > > > Josue, I would suggest that you upgrade your OWASP CRS package. You are using v2.0.1 and the current version is 2.0.10. As to your specific issue, the old CRS that you are using issued alerts for HTTP Parameter Pollution (HPP) when there are more than 1 parameters with the same name. This was a crude attempt at detection as, as you have shown, there are still legitimate scenarios where an app may have multiple params with the same name. In newer CRS, we have moved the HPP rules to the experimental rules files (instead of in the 40 generic attacks file as it is with your version). Additionally, the newer HPP rules don't alert when multiple params have the same name, but instead attempts to concat the payloads into a new TX variable that is then inspected by the other attack rules. If you can't upgrade CRS at this time, I would suggest that you just comment out that rule. Hope this helps, Ryan _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
