Colin, On Mon, May 16, 2016 at 03:20:17PM +0000, Colin MacAllister wrote: > (Sent my payload to Christian offline.)
Thank you for the entire payload and the audit.log. The payload has 8833 bytes. The Content-Length request header announces 3451 bytes. The request body (as written to the audit log) contains 3459 bytes. The request body starts at an arbitrary position on line 72 of your payload and runs up to the end of the payload. I have a strong feeling that your client is buggy. The mismatch in request header and request body is troubling. In your position, I would now unload the ModSec module and try anew for a test. If this works without ModSecurity, then you have a bug in ModSecurity for IIS. Otherwise, it's really the client. Ahoj, Christian > > One thing I should add is that for every rule ID I intend to circumvent I > have a few lines line like this: > SecRuleUpdateTargetById 950018 > "!ARGS:'/text|Blurb|myxml|MailMessage|BodyField|TextEmail /'" > ... with the 2 subsequent lines include other arguments to ignore. > > -----Original Message----- > From: Christian Folini [mailto:christian.fol...@netnea.com] > Sent: Friday, May 13, 2016 2:40 PM > To: Colin MacAllister <cmacallis...@probono.net> > Cc: OWASP CRS Mailing List <owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: Re: [Owasp-modsecurity-core-rule-set] arg name not resolving for > large post value > > On Fri, May 13, 2016 at 06:28:52PM +0000, Colin MacAllister wrote: > > The payload is not correct. The initial payload is something like "blurb=A > > stitch in time saves nine", but what comes through is just "ime saves > > nine", and mod security tries to interpret that as one of the argnames > > instead of " blurb". I'm pretty sure this isn't by design. > > Thanks for pointing this out, Colin. Please provide the exact and complete > payload. I think it really matters in order to reproduce this issue. > > Ahoj, > > Christian > > > -- > Every man takes the limits of his own field of vision for the > limits of the world. > -- Arthur Schopenhauer > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
