Interesting, Yes as Manuel pointed out %00 is a null char and is forbidden. tl;dr it is used to indicate the end of a string in C and as a result languages built on C (like php) when provided with it may treat that as the end of a string even when more is provided.
In any event this is actually kinda interesting, the problem is a disagreement about how webservers versus modsec will handle the code. Depending on which webserver provides the varabiles and where, it is already url decoded. For instance Apache. So in this case Apache decoded the variable and turned %25 back into a percent sign before modsec got it. Then CRS's rule 920270 applied t:urlDecodeUni decoded it again. this led to it detected a null byte. TO BE CLEAR PASSING AN ACTUAL NULLBYTE WILL TRIGGER THIS RULE, IT"S THE %25 THAT IS A POSSIBLE PROBLEM. Now there is some logic here. Early microsoft IIS would do what's known as double decode, but we have other rules to detect that, so there is probably a good reason to open up a ticket and have a discussion about removing that transformation. The problem is going to be that we have to make sure that IIS/Nginx/Apache all behave in the same way, but that isn't your problem that is ours. Would you mind opening up a github ticket so we can properly attribute this? On Thu, Jun 8, 2017 at 1:02 PM, Manuel Spartan <spartan...@gmail.com> wrote: > Hi Ed, > > Passwords are often problematic, %00 urldecoded is a null character > > Try whitelisting the argument vhost wide of it is everywhere, dont know > ehere it may appear or you are feeling lazy > > SecRuleUpdateTargetById 920270 "!ARGS:Password" > > Or in the affected uri's with > > SecRule REQUEST_URI "@beginsWith /createaccount.php" > "id:YOURID,phase:1,t:none,pass, \ > nolog,noauditlog,ctl:ruleRemoveTargetById=920270;ARGS:Password" > > After that add your own rules to validate the length, allowed characters > and complexity of your passwords. > > Regards, > Manuel > > > On Jun 8, 2017 16:04, "Ed Greenberg" <e...@greenberg.org> wrote: > > HI, The full audit report is in a pastebin at: > https://pastebin.com/neKeAm65 > > The report is: > > Message: Warning. Found 1 byte(s) in ARGS:Password outside range: 1-255. > [file > "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] > [line "574"] [id "920270"] [rev "2"] [msg "Invalid character in request > (null character)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity > "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag > "platform-multi"] [tag "attack-protocol"] [tag > "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] > > The Password field in the request is: > > &Password=shadow%250057&ConfirmPassword=shadow%250057& > > So he's doing password shadow%0057 which feels pretty normal for a person > to use. > > Not sure where the 'null' character might be. > > Any ideas? > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- -- Chaim Sanders http://www.ChaimSanders.com
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
