Resurrecting this. I’m sure the arg value is being passed from the browser intact, because it show up in the database in one piece, and because Firefox reports that it is being sent in the Developer/Network view.
I’ve attempted switching back from anomaly scoring mode to one-strike-you’re-out, and am still getting the problem. Should I being having this conversation with whoever puts out the Windows port of modsecurity? Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Colin MacAllister<mailto:cmacallis...@probono.net> Sent: Thursday, May 5, 2016 2:39 PM To: OWASP List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: [Owasp-modsecurity-core-rule-set] arg name not resolving for large post value Hi, all, As I fine-tune my CMS not to bark at me for valid traffic, I’ve come upon the following problem. When a rule matches (in anomaly scoring mode, haven’t tested the other way) sometimes part of the value of the argument the will come through as the argument name, not the name itself, in this case, “Blurb.” ARGS_NAMES:rc is knowledgeable, experienced, empathetic, and kind… [followed by a chunk of the rest of the arg value] I checked it in the inspector, and indeed the ARG_NAME should be “Blurb”. As it is coming through, of course, it is impossible to check for, as it is variable. It might be possible to whitelist the last part of the URL path, but I’d rather not. Have I found a bug? See the snippet from the audit log I attached to this email.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
