HPP (HTTP Parameter Pollution) protection patch for ModSecurity version 2.5.9.
694e79fd6246d584e4df0972c66d14e7afca6ec28b6e3eee0d217b41d58f5786diff -Naru modsecurity-apache_2.5.9/apache2/Makefile.in modsecurity-apache_2.5.9-hpp/apache2/Makefile.in
--- modsecurity-apache_2.5.9/apache2/Makefile.in 2009-03-05 22:49:41.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/Makefile.in 2009-06-17 08:10:24.000000000 +0200
@@ -3,7 +3,8 @@
MOD_SECURITY2 = mod_security2 apache2_config apache2_io apache2_util \
re re_operators re_actions re_tfns re_variables \
msc_logging msc_xml msc_multipart modsecurity msc_parsers msc_util msc_pcre \
- persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua msc_release
+ persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua msc_release \
+ hpp_protect
MSC_TEST = re re_operators re_actions re_tfns re_variables \
msc_logging msc_xml msc_multipart modsecurity \
@@ -12,7 +13,7 @@
MOD_SECURITY2_H = re.h modsecurity.h msc_logging.h msc_multipart.h msc_parsers.h \
msc_pcre.h msc_util.h msc_xml.h persist_dbm.h apache2.h pdf_protect.h \
- msc_geo.h acmp.h utf8tables.h msc_lua.h msc_release.h
+ msc_geo.h acmp.h utf8tables.h msc_lua.h msc_release.h hpp_protect.h
CC = @APXS_CC@
LIBTOOL = @APXS_LIBTOOL@
diff -Naru modsecurity-apache_2.5.9/apache2/apache2_config.c modsecurity-apache_2.5.9-hpp/apache2/apache2_config.c
--- modsecurity-apache_2.5.9/apache2/apache2_config.c 2009-03-06 06:32:03.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/apache2_config.c 2009-06-17 08:53:19.000000000 +0200
@@ -106,6 +106,9 @@
dcfg->pdfp_only_get = NOT_SET;
dcfg->pdfp_method = NOT_SET;
+ /* HPP protection. */
+ dcfg->hppp_enabled = NOT_SET;
+
/* Geo Lookups */
dcfg->geo = NOT_SET_P;
@@ -445,6 +448,10 @@
merged->pdfp_method = (child->pdfp_method == NOT_SET
? parent->pdfp_method : child->pdfp_method);
+ /* HPP protection. */
+ merged->hppp_enabled = (child->hppp_enabled == NOT_SET
+ ? parent->hppp_enabled : child->hppp_enabled);
+
/* Geo Lookup */
merged->geo = (child->geo == NOT_SET_P
? parent->geo : child->geo);
@@ -542,6 +549,9 @@
if (dcfg->pdfp_only_get == NOT_SET) dcfg->pdfp_only_get = 1;
if (dcfg->pdfp_method == NOT_SET) dcfg->pdfp_method = PDF_PROTECT_METHOD_TOKEN_REDIRECTION;
+ /* HPP protection. */
+ if (dcfg->hppp_enabled == NOT_SET) dcfg->hppp_enabled = 0;
+
/* Geo Lookup */
if (dcfg->geo == NOT_SET_P) dcfg->geo = NULL;
@@ -1636,6 +1646,17 @@
return NULL;
}
+/* -- HPP Protection configuration -- */
+
+static const char *cmd_hpp_protect(cmd_parms *cmd, void *_dcfg, int flag) {
+ directory_config *dcfg = (directory_config *)_dcfg;
+ if (dcfg == NULL) return NULL;
+
+ dcfg->hppp_enabled = flag;
+
+ return NULL;
+}
+
/* -- Geo Lookup configuration -- */
static const char *cmd_geo_lookup_db(cmd_parms *cmd, void *_dcfg,
@@ -1981,6 +2002,14 @@
"protection method to use. Can be 'TokenRedirection' (default) or 'ForcedDownload'"
),
+ AP_INIT_FLAG (
+ "SecHPPProtect",
+ cmd_hpp_protect,
+ NULL,
+ CMD_SCOPE_ANY,
+ "enable HPP (HTTP parameter pollution) protection module."
+ ),
+
AP_INIT_TAKE1 (
"SecRequestBodyAccess",
cmd_request_body_access,
diff -Naru modsecurity-apache_2.5.9/apache2/hpp_protect.c modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.c
--- modsecurity-apache_2.5.9/apache2/hpp_protect.c 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.c 2009-06-17 08:54:50.000000000 +0200
@@ -0,0 +1,35 @@
+/*
+ * ModSecurity for Apache 2.x, http://www.modsecurity.org/
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
+ *
+ * This product is released under the terms of the General Public Licence,
+ * version 2 (GPLv2). Please refer to the file LICENSE (included with this
+ * distribution) which contains the complete text of the licence.
+ *
+ * There are special exceptions to the terms and conditions of the GPL
+ * as it is applied to this software. View the full text of the exception in
+ * file MODSECURITY_LICENSING_EXCEPTION in the directory of this software
+ * distribution.
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Breach Security, Inc.
+ * directly using the email address support@breach.com.
+ *
+ */
+#include "modsecurity.h"
+#include "apache2.h"
+#include "hpp_protect.h"
+
+void hppp_check(modsec_rec *msr, char *name, int name_len) {
+ if (msr->txcfg->hppp_enabled != 1) {
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "HPPProtect: Not enabled here.");
+ }
+ } else {
+ if ( (msr->arguments && apr_table_get(msr->arguments, log_escape_nq_ex(msr->mp, name, name_len))) ||
+ (msr->request_cookies && apr_table_get(msr->request_cookies, log_escape_nq_ex(msr->mp, name, name_len))) ) {
+ msr_log(msr, 1, "HPP attack: name \"%s\"", log_escape_nq_ex(msr->mp, name, name_len));
+ msr->msc_hpp = 1;
+ }
+ }
+}
diff -Naru modsecurity-apache_2.5.9/apache2/hpp_protect.h modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.h
--- modsecurity-apache_2.5.9/apache2/hpp_protect.h 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.h 2009-06-17 08:30:55.000000000 +0200
@@ -0,0 +1,24 @@
+/*
+ * ModSecurity for Apache 2.x, http://www.modsecurity.org/
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
+ *
+ * This product is released under the terms of the General Public Licence,
+ * version 2 (GPLv2). Please refer to the file LICENSE (included with this
+ * distribution) which contains the complete text of the licence.
+ *
+ * There are special exceptions to the terms and conditions of the GPL
+ * as it is applied to this software. View the full text of the exception in
+ * file MODSECURITY_LICENSING_EXCEPTION in the directory of this software
+ * distribution.
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Breach Security, Inc.
+ * directly using the email address support@breach.com.
+ *
+ */
+#ifndef _HPP_PROTECT_H_
+#define _HPP_PROTECT_H_
+
+void DSOLOCAL hppp_check(modsec_rec *msr, char *name, int name_len);
+
+#endif
diff -Naru modsecurity-apache_2.5.9/apache2/modsecurity.h modsecurity-apache_2.5.9-hpp/apache2/modsecurity.h
--- modsecurity-apache_2.5.9/apache2/modsecurity.h 2009-03-06 06:32:03.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/modsecurity.h 2009-06-15 12:08:17.000000000 +0200
@@ -353,6 +353,9 @@
* are to allow phases 1-2 only.
*/
unsigned int allow_scope;
+
+ /* HPP (HTTP parameter pollution) */
+ int msc_hpp;
};
struct directory_config {
@@ -447,6 +450,9 @@
int pdfp_only_get;
int pdfp_method;
+ /* HPP Protection. */
+ int hppp_enabled;
+
/* Geo Lookup */
geo_db *geo;
diff -Naru modsecurity-apache_2.5.9/apache2/modules.mk modsecurity-apache_2.5.9-hpp/apache2/modules.mk
--- modsecurity-apache_2.5.9/apache2/modules.mk 2007-12-19 12:22:52.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/modules.mk 2009-06-17 08:15:13.000000000 +0200
@@ -1,11 +1,11 @@
MOD_SECURITY2 = mod_security2 apache2_config apache2_io apache2_util \
re re_operators re_actions re_tfns re_variables \
msc_logging msc_xml msc_multipart modsecurity msc_parsers msc_util msc_pcre \
- persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua
+ persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua hpp_protect
H = re.h modsecurity.h msc_logging.h msc_multipart.h msc_parsers.h \
msc_pcre.h msc_util.h msc_xml.h persist_dbm.h apache2.h pdf_protect.h \
- msc_geo.h acmp.h utf8tables.h msc_lua.h
+ msc_geo.h acmp.h utf8tables.h msc_lua.h hpp_protect.h
${MOD_SECURITY2:=.slo}: ${H}
${MOD_SECURITY2:=.lo}: ${H}
diff -Naru modsecurity-apache_2.5.9/apache2/msc_parsers.c modsecurity-apache_2.5.9-hpp/apache2/msc_parsers.c
--- modsecurity-apache_2.5.9/apache2/msc_parsers.c 2009-03-06 06:32:03.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/msc_parsers.c 2009-06-17 08:31:41.000000000 +0200
@@ -17,6 +17,7 @@
*
*/
#include "msc_parsers.h"
+#include "hpp_protect.h"
#include <ctype.h>
/**
@@ -62,6 +63,7 @@
log_escape(msr->mp, attr_name), log_escape(msr->mp, attr_value));
}
+ hppp_check(msr, attr_name, strlen(attr_name));
apr_table_add(cookies, attr_name, attr_value);
} else {
if (msr->txcfg->debuglog_level >= 5) {
@@ -69,6 +71,7 @@
log_escape(msr->mp, attr_name));
}
+ hppp_check(msr, attr_name, strlen(attr_name));
apr_table_add(cookies, attr_name, "");
}
@@ -190,6 +193,7 @@
log_escape(msr->mp, attr_name), log_escape(msr->mp, attr_value));
}
+ hppp_check(msr, attr_name, strlen(attr_name));
apr_table_add(cookies, attr_name, attr_value);
} else {
if (msr->txcfg->debuglog_level >= 5) {
@@ -197,6 +201,7 @@
log_escape(msr->mp, attr_name));
}
+ hppp_check(msr, attr_name, strlen(attr_name));
apr_table_add(cookies, attr_name, "");
}
@@ -329,6 +334,7 @@
log_escape_ex(msr->mp, arg->value, arg->value_len));
}
+ hppp_check(msr, arg->name, arg->name_len);
+
apr_table_addn(arguments, log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *)arg);
}
-
diff -Naru modsecurity-apache_2.5.9/apache2/re_variables.c modsecurity-apache_2.5.9-hpp/apache2/re_variables.c
--- modsecurity-apache_2.5.9/apache2/re_variables.c 2009-03-06 06:32:03.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/re_variables.c 2009-06-15 12:12:33.000000000 +0200
@@ -2093,6 +2093,20 @@
return var_simple_generate(var, vartab, mptmp, value);
}
+/* HPP */
+
+static int var_hpp_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+ apr_table_t *vartab, apr_pool_t *mptmp)
+{
+ msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+
+ rvar->value = apr_psprintf(mptmp, "%d", msr->msc_hpp);
+ rvar->value_len = strlen(rvar->value);
+ apr_table_addn(vartab, rvar->name, (void *)rvar);
+
+ return 1;
+}
+
/* ---------------------------------------------- */
/**
@@ -3113,4 +3127,15 @@
VAR_DONT_CACHE, /* dynamic */
PHASE_REQUEST_BODY
);
+
+ /* HPP */
+ msre_engine_variable_register(engine,
+ "HPP",
+ VAR_SIMPLE,
+ 0, 0,
+ NULL,
+ var_hpp_generate,
+ VAR_DONT_CACHE, /* dynamic */
+ PHASE_REQUEST_BODY
+ );
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed