Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.

Commit 9619804

Browse files
fgschfgsch
committed
Revert #578
Stop decoding things twice. See #590 for details.
1 parent e0bea23 commit 9619804

6 files changed

+19
-19
lines changed

rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1522,7 +1522,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh
15221522
phase:2,\
15231523
block,\
15241524
capture,\
1525-
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
1525+
t:none,t:htmlEntityDecode,t:lowercase,\
15261526
log,\
15271527
msg:'Abnormal character escapes in request',\
15281528
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\

rules/REQUEST-921-PROTOCOL-ATTACK.conf

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|
3535
phase:2,\
3636
block,\
3737
capture,\
38-
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
38+
t:none,t:htmlEntityDecode,t:lowercase,\
3939
msg:'HTTP Request Smuggling Attack',\
4040
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
4141
tag:'application-multi',\
@@ -68,7 +68,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
6868
phase:2,\
6969
block,\
7070
capture,\
71-
t:none,t:urlDecodeUni,t:lowercase,\
71+
t:none,t:lowercase,\
7272
msg:'HTTP Response Splitting Attack',\
7373
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
7474
tag:'application-multi',\
@@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
9090
phase:2,\
9191
block,\
9292
capture,\
93-
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
93+
t:none,t:htmlEntityDecode,t:lowercase,\
9494
msg:'HTTP Response Splitting Attack',\
9595
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
9696
tag:'application-multi',\
@@ -154,7 +154,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
154154
phase:2,\
155155
block,\
156156
capture,\
157-
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
157+
t:none,t:htmlEntityDecode,\
158158
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
159159
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
160160
tag:'application-multi',\
@@ -176,7 +176,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
176176
phase:1,\
177177
block,\
178178
capture,\
179-
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
179+
t:none,t:htmlEntityDecode,t:lowercase,\
180180
msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
181181
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
182182
tag:'application-multi',\

rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -318,7 +318,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
318318
phase:2,\
319319
block,\
320320
capture,\
321-
t:none,t:urlDecodeUni,t:cmdLine,t:lowercase,\
321+
t:none,t:cmdLine,t:lowercase,\
322322
msg:'Remote Command Execution: Windows PowerShell Command Found',\
323323
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
324324
tag:'application-multi',\
@@ -358,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
358358
phase:2,\
359359
block,\
360360
capture,\
361-
t:none,t:urlDecodeUni,t:cmdLine,\
361+
t:none,t:cmdLine,\
362362
msg:'Remote Command Execution: Unix Shell Expression Found',\
363363
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
364364
tag:'application-multi',\
@@ -406,7 +406,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
406406
phase:2,\
407407
block,\
408408
capture,\
409-
t:none,t:urlDecodeUni,t:cmdLine,\
409+
t:none,t:cmdLine,\
410410
msg:'Remote Command Execution: Windows FOR/IF Command Found',\
411411
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
412412
tag:'application-multi',\
@@ -498,7 +498,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
498498
phase:2,\
499499
block,\
500500
capture,\
501-
t:none,t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase,\
501+
t:none,t:cmdLine,t:normalizePath,t:lowercase,\
502502
msg:'Remote Command Execution: Unix Shell Code Found',\
503503
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
504504
tag:'application-multi',\

rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
4848
phase:2,\
4949
block,\
5050
capture,\
51-
t:none,t:urlDecodeUni,t:lowercase,\
51+
t:none,t:lowercase,\
5252
msg:'PHP Injection Attack: PHP Open Tag Found',\
5353
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
5454
tag:'application-multi',\
@@ -117,7 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
117117
phase:2,\
118118
block,\
119119
capture,\
120-
t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\
120+
t:none,t:normalisePath,t:lowercase,\
121121
msg:'PHP Injection Attack: Configuration Directive Found',\
122122
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
123123
tag:'application-multi',\

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -624,7 +624,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
624624
phase:2,\
625625
block,\
626626
capture,\
627-
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
627+
t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
628628
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\
629629
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
630630
tag:'application-multi',\
@@ -656,7 +656,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
656656
phase:2,\
657657
block,\
658658
capture,\
659-
t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
659+
t:none,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
660660
msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
661661
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
662662
tag:'application-multi',\
@@ -885,7 +885,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
885885
phase:2,\
886886
block,\
887887
capture,\
888-
t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\
888+
t:none,t:jsDecode,t:lowercase,\
889889
msg:'Possible XSS Attack Detected - HTML Tag Handler',\
890890
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
891891
tag:'application-multi',\
@@ -910,7 +910,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
910910
phase:2,\
911911
block,\
912912
capture,\
913-
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
913+
t:none,t:htmlEntityDecode,t:compressWhitespace,\
914914
msg:'IE XSS Filters - Attack Detected.',\
915915
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
916916
tag:'application-multi',\
@@ -938,7 +938,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
938938
phase:2,\
939939
block,\
940940
capture,\
941-
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
941+
t:none,t:htmlEntityDecode,t:compressWhitespace,\
942942
msg:'IE XSS Filters - Attack Detected.',\
943943
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
944944
tag:'application-multi',\

rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
5656
phase:2,\
5757
block,\
5858
capture,\
59-
t:none,t:urlDecodeUni,t:lowercase,\
59+
t:none,t:lowercase,\
6060
msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
6161
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
6262
tag:'application-multi',\
@@ -85,7 +85,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
8585
phase:2,\
8686
block,\
8787
capture,\
88-
t:none,t:urlDecodeUni,t:lowercase,\
88+
t:none,t:lowercase,\
8989
msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
9090
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
9191
tag:'application-multi',\

0 commit comments

Comments
 (0)