Naxsi pulls body_var contents into name and dishonors whitelist

[hobochili]

Naxsi will in certain cases pull the contents of a body field variable into its name and dishonor the whitelist. The issue can arise when the first letter of a rule string (for instance, h in https://), but not the whole rule string, is found in the name of a body variable.

Version:
I've tested on and reproduced in 0.54 and master.

To reproduce:
Add this to your whitelist:
BasicRule wl:1101 "mz:$BODY_VAR:thumbnail_url";

Then pass this request:
curl --data "thumbnail_url=https://i.ytimg.com/vi/LFfS4p3Tl0k/hqdefault.jpg" localhost

Expected result:
Request should pass

Actual result:
Request is blocked. Even though https:// is whitelisted for the contents of BODY_VAR:thumbnail_url, Naxsi flags it because it somehow finds the https:// token in the name of the variable.

Here is the log:

2016/04/26 14:31:25 [debug] 18042#0: *1 is rule [1101] whitelisted in zone BODY for item thumbnail_url
2016/04/26 14:31:25 [debug] 18042#0: *1 hashing varname [thumbnail_url]
2016/04/26 14:31:25 [debug] 18042#0: *1 hashing varname [thumbnail_url] (rule:1101) - 'wl:X_VAR:thumbnail_url'
2016/04/26 14:31:25 [debug] 18042#0: *1 Possible whitelist ... check...
2016/04/26 14:31:25 [debug] 18042#0: *1 Name match in zone BODY
2016/04/26 14:31:25 [debug] 18042#0: *1 is rule [1101] whitelisted in zone BODY for item thumbnail_url
2016/04/26 14:31:25 [debug] 18042#0: *1 extra: exception happened in |NAME
2016/04/26 14:31:25 [debug] 18042#0: *1 hashing varname [thumbnail_url]
2016/04/26 14:31:25 [debug] 18042#0: *1 hashing varname [thumbnail_url] (rule:1101) - 'wl:X_VAR:thumbnail_url'
2016/04/26 14:31:25 [debug] 18042#0: *1 Possible whitelist ... check...
2016/04/26 14:31:25 [debug] 18042#0: *1 whitelist targets content, but rule matched name.
2016/04/26 14:31:25 [debug] 18042#0: *1 hashing varname [thumbnail_url] (rule:1101) - 'wl:X_VAR:thumbnail_url|NAME'
2016/04/26 14:31:25 [debug] 18042#0: *1 hashing uri#1 [/] (rule:1101) ($URL:X|URI)
2016/04/26 14:31:25 [debug] 18042#0: *1 hashing uri#3 [#/] (rule:1101) ($URL:X|ZONE|NAME)
2016/04/26 14:31:25 [debug] 18042#0: *1 hashing MIX [#/#thumbnail_url] ($URL:x|$X_VAR:y) or ($URL:x|$X_VAR:y|NAME)
2016/04/26 14:31:25 [error] 18042#0: *1 NAXSI_EXLOG: ip=127.0.0.1&server=localhost&uri=/&id=1101&zone=BODY|NAME&var_name=https://i.ytimg.com/vi/LFfS4p3Tl0k/hqdefault.jpg&content=thumbnail_url, c
lient: 127.0.0.1, server: localhost, request: "POST / HTTP/1.1", host: "localhost"
2016/04/26 14:31:25 [error] 18042#0: *1 NAXSI_FMT: ip=127.0.0.1&server=localhost&uri=/&learning=0&vers=0.55rc1&total_processed=1&total_blocked=1&block=1&cscore0=$RFI&score0=8&zone0=BODY|NAME&id0
=1101&var_name0=thumbnail_url, client: 127.0.0.1, server: localhost, request: "POST / HTTP/1.1", host: "localhost"

Notes:

• The issue persists with the following whitelist as well:
  BasicRule wl:1101 "mz:BODY";
• The issue does not appear in the following configuration:

   BasicRule  wl:1101 "mz:$BODY_VAR:tumbnail_url";
   curl --data "tumbnail_url=https://i.ytimg.com/vi/LFfS4p3Tl0k/hqdefault.jpg" localhost

Workaround:
Since Naxsi is erroneously flagging the warning in the BODY|NAME zone, you can un-intuitively allow such requests with the following combination of whitelist entries:

BasicRule  wl:1101 "mz:$BODY_VAR:thumbnail_url";
BasicRule  wl:1101 "mz:$BODY_VAR:thumbnail_url|NAME";

Fix:
The bug exists in the strfaststr function. I'll submit a pull request shortly.

[buixor]

Hello,

thank you for this detailed issue, I'm trying to have a look at it soon (hopefully this week)

Best regards,

[buixor]

Thanks, closing issue