Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecHashing href rewrites to invalid href #752

Closed
scaarup opened this issue Jul 7, 2014 · 6 comments
Closed

SecHashing href rewrites to invalid href #752

scaarup opened this issue Jul 7, 2014 · 6 comments
Assignees
@zimmerle
Labels
bug It is a confirmed bug Platform - Nginx

Comments

@scaarup
Copy link

scaarup commented Jul 7, 2014

I am serving this html in the directory meta on an apache behind nginx with modsecurity 2.8:

<html>
<body>
<a href="subedit.pml?testparam=123456">Edit</a>
<a href="/admin/index.pml?testparam=123456">Admin</a>
</body>
</html>

With these settings:
SecContentInjection On
SecStreamOutBodyInspection On
SecDisableBackendCompression On

SecHashEngine On
SecHashParam "hmac"
SecHashKey "rand" "KeyOnly"
SecHashMethodRx "HashHref" "testparam"

The html presented to the client looks like:

<html><body>
<a href="/meta/subedit.pml?testparam=123456&hmac=2e90fe01904715639c65b8c8c424e24d159bd79e">Edit</a>
<a href="/meta/admin/index.pml?testparam=123456&hmac=91318d8dd856e50fca4e86e51b840bee3b9dd5c4">Admin</a>
</body></html>

As you can see, both hrefs are now prefixed with "/meta/" which the 2nd href does not exist on my server and therefore breaks my application. I have sniffed the traffic directly on the apache-server, and it serves nginx/modsec with html exactly as it looks like in the original html file. So that concludes that it is modsecurity which rewrites it wrongly.
zimmerle pushed a commit that referenced this issue Jul 7, 2014
Adds regression test to the hash functionality
9c4c732 
As reported on: #742 and #752 it seems that the SecHash functionality is
not working as expected.
@zimmerle zimmerle self-assigned this Jul 28, 2014
@scaarup
Copy link
Author

scaarup commented Feb 19, 2015

Has this been forgotten? :)

@scaarup
Copy link
Author

scaarup commented Jan 7, 2016

@zimmerle It has been a year - is this forgotten?

@csanders-git
Copy link

Let me take a look at that today... not many people use this functionality so it'll be interesting

@csanders-git
Copy link

@scaarup can you tell me what version of libXML you are using?

@scaarup
Copy link
Author

scaarup commented Jan 14, 2016

@csanders-git I am using 2.7.6

hideaki added a commit to hideaki/ModSecurity that referenced this issue Feb 5, 2016
@hideaki
Make url path absolute for SecHashEngine only when it is relative in …
3179d22 
…the first place. Fix owasp-modsecurity#752
@hideaki hideaki mentioned this issue Oct 21, 2016
Closed
@zimmerle
Copy link
Contributor

Fixed - #1071

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

Labels
bug It is a confirmed bug Platform - Nginx
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zimmerle @csanders-git @scaarup