Sounds like upgrading is the best option. Thanks Ryan.
Josue del Valle -----Original Message----- From: Ryan Barnett [mailto:[email protected]] Sent: Wednesday, December 29, 2010 10:58 AM To: Josue Del Valle; [email protected] Cc: [email protected] Subject: Re: [Owasp-modsecurity-core-rule-set] Access denied code 403 (Multiple Parameters with the same Name) From: Josue Del Valle <[email protected]> Date: Wed, 29 Dec 2010 09:47:24 -0600 To: "[email protected]" <[email protected]> Cc: "[email protected]" <[email protected]> Subject: [Owasp-modsecurity-core-rule-set] Access denied code 403 (Multiple Parameters with the same Name) >Hi, > >Our developer has a form which submits 2 inputs with the same name. >There are 2 check boxes and if he select one checkbox and submit >everything works fine but if he select both checkboxes he gets an access >denied code 403 error. > >Can anyone explain how to create an exception so this doesn¹t happen. I >have attached the error log. > > Please be as detail as possible because I know little about mod_security. > >Thanks in advance for your help. > >Regards, > > >Josue del Valle > > > Josue, I would suggest that you upgrade your OWASP CRS package. You are using v2.0.1 and the current version is 2.0.10. As to your specific issue, the old CRS that you are using issued alerts for HTTP Parameter Pollution (HPP) when there are more than 1 parameters with the same name. This was a crude attempt at detection as, as you have shown, there are still legitimate scenarios where an app may have multiple params with the same name. In newer CRS, we have moved the HPP rules to the experimental rules files (instead of in the 40 generic attacks file as it is with your version). Additionally, the newer HPP rules don't alert when multiple params have the same name, but instead attempts to concat the payloads into a new TX variable that is then inspected by the other attack rules. If you can't upgrade CRS at this time, I would suggest that you just comment out that rule. Hope this helps, Ryan Coverage cannot be assumed to be bound, altered or canceled without confirmation from an authorized representative of Braishfield Associates, Inc. DISCLAIMER: CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the information contained in this communication, including attachments is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Insurance coverage can not be bound, amended or changed via an e-mail message without knowledge or consent from the insuring carrier. If you have received this communication in error please notify us by telephone immediately at (407) 825-9911 or e-mail [email protected]. Thank you. Loss runs are now available online to contracted agents. Please visit our web portal and utilize this efficient functionality. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
