exploit the possibilities

HPP Protection Patch For ModSecurity 2.5.9

HPP Protection Patch For ModSecurity 2.5.9
Posted Jul 6, 2009
Authored by Andi | Site void.at

HPP (HTTP Parameter Pollution) protection patch for ModSecurity version 2.5.9.

tags | web, patch
systems | unix
MD5 | 825adef3a8be5af3cd0407fab82288e7

HPP Protection Patch For ModSecurity 2.5.9

Change Mirror Download
diff -Naru modsecurity-apache_2.5.9/apache2/Makefile.in modsecurity-apache_2.5.9-hpp/apache2/Makefile.in
--- modsecurity-apache_2.5.9/apache2/Makefile.in 2009-03-05 22:49:41.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/Makefile.in 2009-06-17 08:10:24.000000000 +0200
@@ -3,7 +3,8 @@
MOD_SECURITY2 = mod_security2 apache2_config apache2_io apache2_util \
re re_operators re_actions re_tfns re_variables \
msc_logging msc_xml msc_multipart modsecurity msc_parsers msc_util msc_pcre \
- persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua msc_release
+ persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua msc_release \
+ hpp_protect

MSC_TEST = re re_operators re_actions re_tfns re_variables \
msc_logging msc_xml msc_multipart modsecurity \
@@ -12,7 +13,7 @@

MOD_SECURITY2_H = re.h modsecurity.h msc_logging.h msc_multipart.h msc_parsers.h \
msc_pcre.h msc_util.h msc_xml.h persist_dbm.h apache2.h pdf_protect.h \
- msc_geo.h acmp.h utf8tables.h msc_lua.h msc_release.h
+ msc_geo.h acmp.h utf8tables.h msc_lua.h msc_release.h hpp_protect.h

CC = @APXS_CC@
LIBTOOL = @APXS_LIBTOOL@
diff -Naru modsecurity-apache_2.5.9/apache2/apache2_config.c modsecurity-apache_2.5.9-hpp/apache2/apache2_config.c
--- modsecurity-apache_2.5.9/apache2/apache2_config.c 2009-03-06 06:32:03.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/apache2_config.c 2009-06-17 08:53:19.000000000 +0200
@@ -106,6 +106,9 @@
dcfg->pdfp_only_get = NOT_SET;
dcfg->pdfp_method = NOT_SET;

+ /* HPP protection. */
+ dcfg->hppp_enabled = NOT_SET;
+
/* Geo Lookups */
dcfg->geo = NOT_SET_P;

@@ -445,6 +448,10 @@
merged->pdfp_method = (child->pdfp_method == NOT_SET
? parent->pdfp_method : child->pdfp_method);

+ /* HPP protection. */
+ merged->hppp_enabled = (child->hppp_enabled == NOT_SET
+ ? parent->hppp_enabled : child->hppp_enabled);
+
/* Geo Lookup */
merged->geo = (child->geo == NOT_SET_P
? parent->geo : child->geo);
@@ -542,6 +549,9 @@
if (dcfg->pdfp_only_get == NOT_SET) dcfg->pdfp_only_get = 1;
if (dcfg->pdfp_method == NOT_SET) dcfg->pdfp_method = PDF_PROTECT_METHOD_TOKEN_REDIRECTION;

+ /* HPP protection. */
+ if (dcfg->hppp_enabled == NOT_SET) dcfg->hppp_enabled = 0;
+
/* Geo Lookup */
if (dcfg->geo == NOT_SET_P) dcfg->geo = NULL;

@@ -1636,6 +1646,17 @@
return NULL;
}

+/* -- HPP Protection configuration -- */
+
+static const char *cmd_hpp_protect(cmd_parms *cmd, void *_dcfg, int flag) {
+ directory_config *dcfg = (directory_config *)_dcfg;
+ if (dcfg == NULL) return NULL;
+
+ dcfg->hppp_enabled = flag;
+
+ return NULL;
+}
+
/* -- Geo Lookup configuration -- */

static const char *cmd_geo_lookup_db(cmd_parms *cmd, void *_dcfg,
@@ -1981,6 +2002,14 @@
"protection method to use. Can be 'TokenRedirection' (default) or 'ForcedDownload'"
),

+ AP_INIT_FLAG (
+ "SecHPPProtect",
+ cmd_hpp_protect,
+ NULL,
+ CMD_SCOPE_ANY,
+ "enable HPP (HTTP parameter pollution) protection module."
+ ),
+
AP_INIT_TAKE1 (
"SecRequestBodyAccess",
cmd_request_body_access,
diff -Naru modsecurity-apache_2.5.9/apache2/hpp_protect.c modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.c
--- modsecurity-apache_2.5.9/apache2/hpp_protect.c 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.c 2009-06-17 08:54:50.000000000 +0200
@@ -0,0 +1,35 @@
+/*
+ * ModSecurity for Apache 2.x, http://www.modsecurity.org/
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
+ *
+ * This product is released under the terms of the General Public Licence,
+ * version 2 (GPLv2). Please refer to the file LICENSE (included with this
+ * distribution) which contains the complete text of the licence.
+ *
+ * There are special exceptions to the terms and conditions of the GPL
+ * as it is applied to this software. View the full text of the exception in
+ * file MODSECURITY_LICENSING_EXCEPTION in the directory of this software
+ * distribution.
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Breach Security, Inc.
+ * directly using the email address support@breach.com.
+ *
+ */
+#include "modsecurity.h"
+#include "apache2.h"
+#include "hpp_protect.h"
+
+void hppp_check(modsec_rec *msr, char *name, int name_len) {
+ if (msr->txcfg->hppp_enabled != 1) {
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "HPPProtect: Not enabled here.");
+ }
+ } else {
+ if ( (msr->arguments && apr_table_get(msr->arguments, log_escape_nq_ex(msr->mp, name, name_len))) ||
+ (msr->request_cookies && apr_table_get(msr->request_cookies, log_escape_nq_ex(msr->mp, name, name_len))) ) {
+ msr_log(msr, 1, "HPP attack: name \"%s\"", log_escape_nq_ex(msr->mp, name, name_len));
+ msr->msc_hpp = 1;
+ }
+ }
+}
diff -Naru modsecurity-apache_2.5.9/apache2/hpp_protect.h modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.h
--- modsecurity-apache_2.5.9/apache2/hpp_protect.h 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.h 2009-06-17 08:30:55.000000000 +0200
@@ -0,0 +1,24 @@
+/*
+ * ModSecurity for Apache 2.x, http://www.modsecurity.org/
+ * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/)
+ *
+ * This product is released under the terms of the General Public Licence,
+ * version 2 (GPLv2). Please refer to the file LICENSE (included with this
+ * distribution) which contains the complete text of the licence.
+ *
+ * There are special exceptions to the terms and conditions of the GPL
+ * as it is applied to this software. View the full text of the exception in
+ * file MODSECURITY_LICENSING_EXCEPTION in the directory of this software
+ * distribution.
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Breach Security, Inc.
+ * directly using the email address support@breach.com.
+ *
+ */
+#ifndef _HPP_PROTECT_H_
+#define _HPP_PROTECT_H_
+
+void DSOLOCAL hppp_check(modsec_rec *msr, char *name, int name_len);
+
+#endif
diff -Naru modsecurity-apache_2.5.9/apache2/modsecurity.h modsecurity-apache_2.5.9-hpp/apache2/modsecurity.h
--- modsecurity-apache_2.5.9/apache2/modsecurity.h 2009-03-06 06:32:03.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/modsecurity.h 2009-06-15 12:08:17.000000000 +0200
@@ -353,6 +353,9 @@
* are to allow phases 1-2 only.
*/
unsigned int allow_scope;
+
+ /* HPP (HTTP parameter pollution) */
+ int msc_hpp;
};

struct directory_config {
@@ -447,6 +450,9 @@
int pdfp_only_get;
int pdfp_method;

+ /* HPP Protection. */
+ int hppp_enabled;
+
/* Geo Lookup */
geo_db *geo;

diff -Naru modsecurity-apache_2.5.9/apache2/modules.mk modsecurity-apache_2.5.9-hpp/apache2/modules.mk
--- modsecurity-apache_2.5.9/apache2/modules.mk 2007-12-19 12:22:52.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/modules.mk 2009-06-17 08:15:13.000000000 +0200
@@ -1,11 +1,11 @@
MOD_SECURITY2 = mod_security2 apache2_config apache2_io apache2_util \
re re_operators re_actions re_tfns re_variables \
msc_logging msc_xml msc_multipart modsecurity msc_parsers msc_util msc_pcre \
- persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua
+ persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua hpp_protect

H = re.h modsecurity.h msc_logging.h msc_multipart.h msc_parsers.h \
msc_pcre.h msc_util.h msc_xml.h persist_dbm.h apache2.h pdf_protect.h \
- msc_geo.h acmp.h utf8tables.h msc_lua.h
+ msc_geo.h acmp.h utf8tables.h msc_lua.h hpp_protect.h

${MOD_SECURITY2:=.slo}: ${H}
${MOD_SECURITY2:=.lo}: ${H}
diff -Naru modsecurity-apache_2.5.9/apache2/msc_parsers.c modsecurity-apache_2.5.9-hpp/apache2/msc_parsers.c
--- modsecurity-apache_2.5.9/apache2/msc_parsers.c 2009-03-06 06:32:03.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/msc_parsers.c 2009-06-17 08:31:41.000000000 +0200
@@ -17,6 +17,7 @@
*
*/
#include "msc_parsers.h"
+#include "hpp_protect.h"
#include <ctype.h>

/**
@@ -62,6 +63,7 @@
log_escape(msr->mp, attr_name), log_escape(msr->mp, attr_value));
}

+ hppp_check(msr, attr_name, strlen(attr_name));
apr_table_add(cookies, attr_name, attr_value);
} else {
if (msr->txcfg->debuglog_level >= 5) {
@@ -69,6 +71,7 @@
log_escape(msr->mp, attr_name));
}

+ hppp_check(msr, attr_name, strlen(attr_name));
apr_table_add(cookies, attr_name, "");
}

@@ -190,6 +193,7 @@
log_escape(msr->mp, attr_name), log_escape(msr->mp, attr_value));
}

+ hppp_check(msr, attr_name, strlen(attr_name));
apr_table_add(cookies, attr_name, attr_value);
} else {
if (msr->txcfg->debuglog_level >= 5) {
@@ -197,6 +201,7 @@
log_escape(msr->mp, attr_name));
}

+ hppp_check(msr, attr_name, strlen(attr_name));
apr_table_add(cookies, attr_name, "");
}

@@ -329,6 +334,7 @@
log_escape_ex(msr->mp, arg->value, arg->value_len));
}

+ hppp_check(msr, arg->name, arg->name_len);
+
apr_table_addn(arguments, log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *)arg);
}
-
diff -Naru modsecurity-apache_2.5.9/apache2/re_variables.c modsecurity-apache_2.5.9-hpp/apache2/re_variables.c
--- modsecurity-apache_2.5.9/apache2/re_variables.c 2009-03-06 06:32:03.000000000 +0100
+++ modsecurity-apache_2.5.9-hpp/apache2/re_variables.c 2009-06-15 12:12:33.000000000 +0200
@@ -2093,6 +2093,20 @@
return var_simple_generate(var, vartab, mptmp, value);
}

+/* HPP */
+
+static int var_hpp_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+ apr_table_t *vartab, apr_pool_t *mptmp)
+{
+ msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var));
+
+ rvar->value = apr_psprintf(mptmp, "%d", msr->msc_hpp);
+ rvar->value_len = strlen(rvar->value);
+ apr_table_addn(vartab, rvar->name, (void *)rvar);
+
+ return 1;
+}
+
/* ---------------------------------------------- */

/**
@@ -3113,4 +3127,15 @@
VAR_DONT_CACHE, /* dynamic */
PHASE_REQUEST_BODY
);
+
+ /* HPP */
+ msre_engine_variable_register(engine,
+ "HPP",
+ VAR_SIMPLE,
+ 0, 0,
+ NULL,
+ var_hpp_generate,
+ VAR_DONT_CACHE, /* dynamic */
+ PHASE_REQUEST_BODY
+ );
}

Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close