diff -Naru modsecurity-apache_2.5.9/apache2/Makefile.in modsecurity-apache_2.5.9-hpp/apache2/Makefile.in --- modsecurity-apache_2.5.9/apache2/Makefile.in 2009-03-05 22:49:41.000000000 +0100 +++ modsecurity-apache_2.5.9-hpp/apache2/Makefile.in 2009-06-17 08:10:24.000000000 +0200 @@ -3,7 +3,8 @@ MOD_SECURITY2 = mod_security2 apache2_config apache2_io apache2_util \ re re_operators re_actions re_tfns re_variables \ msc_logging msc_xml msc_multipart modsecurity msc_parsers msc_util msc_pcre \ - persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua msc_release + persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua msc_release \ + hpp_protect MSC_TEST = re re_operators re_actions re_tfns re_variables \ msc_logging msc_xml msc_multipart modsecurity \ @@ -12,7 +13,7 @@ MOD_SECURITY2_H = re.h modsecurity.h msc_logging.h msc_multipart.h msc_parsers.h \ msc_pcre.h msc_util.h msc_xml.h persist_dbm.h apache2.h pdf_protect.h \ - msc_geo.h acmp.h utf8tables.h msc_lua.h msc_release.h + msc_geo.h acmp.h utf8tables.h msc_lua.h msc_release.h hpp_protect.h CC = @APXS_CC@ LIBTOOL = @APXS_LIBTOOL@ diff -Naru modsecurity-apache_2.5.9/apache2/apache2_config.c modsecurity-apache_2.5.9-hpp/apache2/apache2_config.c --- modsecurity-apache_2.5.9/apache2/apache2_config.c 2009-03-06 06:32:03.000000000 +0100 +++ modsecurity-apache_2.5.9-hpp/apache2/apache2_config.c 2009-06-17 08:53:19.000000000 +0200 @@ -106,6 +106,9 @@ dcfg->pdfp_only_get = NOT_SET; dcfg->pdfp_method = NOT_SET; + /* HPP protection. */ + dcfg->hppp_enabled = NOT_SET; + /* Geo Lookups */ dcfg->geo = NOT_SET_P; @@ -445,6 +448,10 @@ merged->pdfp_method = (child->pdfp_method == NOT_SET ? parent->pdfp_method : child->pdfp_method); + /* HPP protection. */ + merged->hppp_enabled = (child->hppp_enabled == NOT_SET + ? parent->hppp_enabled : child->hppp_enabled); + /* Geo Lookup */ merged->geo = (child->geo == NOT_SET_P ? parent->geo : child->geo); @@ -542,6 +549,9 @@ if (dcfg->pdfp_only_get == NOT_SET) dcfg->pdfp_only_get = 1; if (dcfg->pdfp_method == NOT_SET) dcfg->pdfp_method = PDF_PROTECT_METHOD_TOKEN_REDIRECTION; + /* HPP protection. */ + if (dcfg->hppp_enabled == NOT_SET) dcfg->hppp_enabled = 0; + /* Geo Lookup */ if (dcfg->geo == NOT_SET_P) dcfg->geo = NULL; @@ -1636,6 +1646,17 @@ return NULL; } +/* -- HPP Protection configuration -- */ + +static const char *cmd_hpp_protect(cmd_parms *cmd, void *_dcfg, int flag) { + directory_config *dcfg = (directory_config *)_dcfg; + if (dcfg == NULL) return NULL; + + dcfg->hppp_enabled = flag; + + return NULL; +} + /* -- Geo Lookup configuration -- */ static const char *cmd_geo_lookup_db(cmd_parms *cmd, void *_dcfg, @@ -1981,6 +2002,14 @@ "protection method to use. Can be 'TokenRedirection' (default) or 'ForcedDownload'" ), + AP_INIT_FLAG ( + "SecHPPProtect", + cmd_hpp_protect, + NULL, + CMD_SCOPE_ANY, + "enable HPP (HTTP parameter pollution) protection module." + ), + AP_INIT_TAKE1 ( "SecRequestBodyAccess", cmd_request_body_access, diff -Naru modsecurity-apache_2.5.9/apache2/hpp_protect.c modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.c --- modsecurity-apache_2.5.9/apache2/hpp_protect.c 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.c 2009-06-17 08:54:50.000000000 +0200 @@ -0,0 +1,35 @@ +/* + * ModSecurity for Apache 2.x, http://www.modsecurity.org/ + * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/) + * + * This product is released under the terms of the General Public Licence, + * version 2 (GPLv2). Please refer to the file LICENSE (included with this + * distribution) which contains the complete text of the licence. + * + * There are special exceptions to the terms and conditions of the GPL + * as it is applied to this software. View the full text of the exception in + * file MODSECURITY_LICENSING_EXCEPTION in the directory of this software + * distribution. + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Breach Security, Inc. + * directly using the email address support@breach.com. + * + */ +#include "modsecurity.h" +#include "apache2.h" +#include "hpp_protect.h" + +void hppp_check(modsec_rec *msr, char *name, int name_len) { + if (msr->txcfg->hppp_enabled != 1) { + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "HPPProtect: Not enabled here."); + } + } else { + if ( (msr->arguments && apr_table_get(msr->arguments, log_escape_nq_ex(msr->mp, name, name_len))) || + (msr->request_cookies && apr_table_get(msr->request_cookies, log_escape_nq_ex(msr->mp, name, name_len))) ) { + msr_log(msr, 1, "HPP attack: name \"%s\"", log_escape_nq_ex(msr->mp, name, name_len)); + msr->msc_hpp = 1; + } + } +} diff -Naru modsecurity-apache_2.5.9/apache2/hpp_protect.h modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.h --- modsecurity-apache_2.5.9/apache2/hpp_protect.h 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-apache_2.5.9-hpp/apache2/hpp_protect.h 2009-06-17 08:30:55.000000000 +0200 @@ -0,0 +1,24 @@ +/* + * ModSecurity for Apache 2.x, http://www.modsecurity.org/ + * Copyright (c) 2004-2009 Breach Security, Inc. (http://www.breach.com/) + * + * This product is released under the terms of the General Public Licence, + * version 2 (GPLv2). Please refer to the file LICENSE (included with this + * distribution) which contains the complete text of the licence. + * + * There are special exceptions to the terms and conditions of the GPL + * as it is applied to this software. View the full text of the exception in + * file MODSECURITY_LICENSING_EXCEPTION in the directory of this software + * distribution. + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Breach Security, Inc. + * directly using the email address support@breach.com. + * + */ +#ifndef _HPP_PROTECT_H_ +#define _HPP_PROTECT_H_ + +void DSOLOCAL hppp_check(modsec_rec *msr, char *name, int name_len); + +#endif diff -Naru modsecurity-apache_2.5.9/apache2/modsecurity.h modsecurity-apache_2.5.9-hpp/apache2/modsecurity.h --- modsecurity-apache_2.5.9/apache2/modsecurity.h 2009-03-06 06:32:03.000000000 +0100 +++ modsecurity-apache_2.5.9-hpp/apache2/modsecurity.h 2009-06-15 12:08:17.000000000 +0200 @@ -353,6 +353,9 @@ * are to allow phases 1-2 only. */ unsigned int allow_scope; + + /* HPP (HTTP parameter pollution) */ + int msc_hpp; }; struct directory_config { @@ -447,6 +450,9 @@ int pdfp_only_get; int pdfp_method; + /* HPP Protection. */ + int hppp_enabled; + /* Geo Lookup */ geo_db *geo; diff -Naru modsecurity-apache_2.5.9/apache2/modules.mk modsecurity-apache_2.5.9-hpp/apache2/modules.mk --- modsecurity-apache_2.5.9/apache2/modules.mk 2007-12-19 12:22:52.000000000 +0100 +++ modsecurity-apache_2.5.9-hpp/apache2/modules.mk 2009-06-17 08:15:13.000000000 +0200 @@ -1,11 +1,11 @@ MOD_SECURITY2 = mod_security2 apache2_config apache2_io apache2_util \ re re_operators re_actions re_tfns re_variables \ msc_logging msc_xml msc_multipart modsecurity msc_parsers msc_util msc_pcre \ - persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua + persist_dbm msc_reqbody pdf_protect msc_geo acmp msc_lua hpp_protect H = re.h modsecurity.h msc_logging.h msc_multipart.h msc_parsers.h \ msc_pcre.h msc_util.h msc_xml.h persist_dbm.h apache2.h pdf_protect.h \ - msc_geo.h acmp.h utf8tables.h msc_lua.h + msc_geo.h acmp.h utf8tables.h msc_lua.h hpp_protect.h ${MOD_SECURITY2:=.slo}: ${H} ${MOD_SECURITY2:=.lo}: ${H} diff -Naru modsecurity-apache_2.5.9/apache2/msc_parsers.c modsecurity-apache_2.5.9-hpp/apache2/msc_parsers.c --- modsecurity-apache_2.5.9/apache2/msc_parsers.c 2009-03-06 06:32:03.000000000 +0100 +++ modsecurity-apache_2.5.9-hpp/apache2/msc_parsers.c 2009-06-17 08:31:41.000000000 +0200 @@ -17,6 +17,7 @@ * */ #include "msc_parsers.h" +#include "hpp_protect.h" #include /** @@ -62,6 +63,7 @@ log_escape(msr->mp, attr_name), log_escape(msr->mp, attr_value)); } + hppp_check(msr, attr_name, strlen(attr_name)); apr_table_add(cookies, attr_name, attr_value); } else { if (msr->txcfg->debuglog_level >= 5) { @@ -69,6 +71,7 @@ log_escape(msr->mp, attr_name)); } + hppp_check(msr, attr_name, strlen(attr_name)); apr_table_add(cookies, attr_name, ""); } @@ -190,6 +193,7 @@ log_escape(msr->mp, attr_name), log_escape(msr->mp, attr_value)); } + hppp_check(msr, attr_name, strlen(attr_name)); apr_table_add(cookies, attr_name, attr_value); } else { if (msr->txcfg->debuglog_level >= 5) { @@ -197,6 +201,7 @@ log_escape(msr->mp, attr_name)); } + hppp_check(msr, attr_name, strlen(attr_name)); apr_table_add(cookies, attr_name, ""); } @@ -329,6 +334,7 @@ log_escape_ex(msr->mp, arg->value, arg->value_len)); } + hppp_check(msr, arg->name, arg->name_len); + apr_table_addn(arguments, log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *)arg); } - diff -Naru modsecurity-apache_2.5.9/apache2/re_variables.c modsecurity-apache_2.5.9-hpp/apache2/re_variables.c --- modsecurity-apache_2.5.9/apache2/re_variables.c 2009-03-06 06:32:03.000000000 +0100 +++ modsecurity-apache_2.5.9-hpp/apache2/re_variables.c 2009-06-15 12:12:33.000000000 +0200 @@ -2093,6 +2093,20 @@ return var_simple_generate(var, vartab, mptmp, value); } +/* HPP */ + +static int var_hpp_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, + apr_table_t *vartab, apr_pool_t *mptmp) +{ + msre_var *rvar = apr_pmemdup(mptmp, var, sizeof(msre_var)); + + rvar->value = apr_psprintf(mptmp, "%d", msr->msc_hpp); + rvar->value_len = strlen(rvar->value); + apr_table_addn(vartab, rvar->name, (void *)rvar); + + return 1; +} + /* ---------------------------------------------- */ /** @@ -3113,4 +3127,15 @@ VAR_DONT_CACHE, /* dynamic */ PHASE_REQUEST_BODY ); + + /* HPP */ + msre_engine_variable_register(engine, + "HPP", + VAR_SIMPLE, + 0, 0, + NULL, + var_hpp_generate, + VAR_DONT_CACHE, /* dynamic */ + PHASE_REQUEST_BODY + ); }