Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 235304 - false positives from modsecurity_crs_50_outbound.conf for responses with encoded content
Summary: false positives from modsecurity_crs_50_outbound.conf for responses with enco...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_security
Version: 5
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Michael Fleming
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-04 23:07 UTC by Gilbert E. Detillieux
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-13 07:17:10 UTC


Attachments (Terms of Use)
patch to modsecurity_crs_50_outbound.conf (deleted)
2007-04-04 23:07 UTC, Gilbert E. Detillieux
no flags Details | Diff

Description Gilbert E. Detillieux 2007-04-04 23:07:24 UTC
Description of problem:
Rules in the modesecurity_crs_50_outbound.conf file report false positives
(fortunately just as warnings, and not as severe errors) for valid responses to
legitimate requests, if those responses have encoded content that happens to
match one of the (very brief) regular expressions.

Version-Release number of selected component (if applicable):
2.1.0-3.fc5 (as well as .fc6)

How reproducible:
always

Steps to Reproduce:
1. Install mod_security, run "service httpd restart"
2. Access pages that will have encoded content (e.g. from mediawiki)
3. View error_log, modsec_audit.log, and modsec_debug.log
  
Actual results:
A sample error_log entry I got...
[Tue Apr 03 20:48:19 2007] [error] [client 1.2.3.4] ModSecurity: Warning. Match
of "rx
(?:\\\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)"
against "RESPONSE_BODY" required. [id "970903"] [msg "ASP/JSP source code
leakage"] [severity "WARNING"] [hostname "www.example.com"] [uri
"/mediawiki/index.php"] [unique_id "pg-Qn4KzHDUAAB-pXHcAAAAE"]

Since some of the rules (id 970903 and 970902) have very short regular
expressions ("\<\%" and "<\?(?!xml)", resp.) requiring only a couple characters
to match, compressed binary data can easily trigger them.  The chained rules
that follow are negative rules, so we typically don't get a match on those,
resulting in a false positive.

Expected results:
Cleaner logs, without the false positives.  :)

Additional info:
Ideally, mod_security should be fixed upstream, to handle encoded content
better.  They are apparently aware of the problem, as suggested by this post...

http://www.archivesat.com/mod-security_users/thread2630168.htm

In the meantime, the rules can be "toughened up" a bit to avoid the false
positives.  (See attached patch.)

Comment 1 Gilbert E. Detillieux 2007-04-04 23:07:25 UTC
Created attachment 151718 [details]
patch to modsecurity_crs_50_outbound.conf

Comment 2 Michael Fleming 2007-04-06 09:57:06 UTC
Yeah, this should really be an upstream fix and reported there (I take the stock
Core Rules without adjustments or patches in my regular builds) however the
patch looks simple enough - I'll give them a local run and if there's no
negative impact I'll run up a new build to fix this one. 

Comment 3 Michael Fleming 2007-09-13 07:17:10 UTC
Can you try this with an updated Fedora + mod_security? The core rules have been
updated since this version and may no longer need patching.

Plus, FC5 is EOL - but you probably knew that anyway. I'm about to push 2.1.3
out the door in the next day or so for most branches.



Note You need to log in before you can comment on or make changes to this bug.