[solved] modsecurity bug - can't block traffic when HTTP request header is missing

Discussion in 'Bug Reports' started by c0ldshadow, Dec 31, 2013.

  1. c0ldshadow

    c0ldshadow New Member

    using litespeed 4.2.6

    The following rule doesn't block requests to test.php which are missing the Accept-Language header:

    SecFilterSelective REQUEST_URI "/test\.php" chain
    SecFilterSelective HTTP_Accept-Language "^$"


    please advise when bug fixed or if there is a work around
    Last edited by a moderator: Jan 3, 2014
  2. mistwang

    mistwang LiteSpeed Staff

    replace the second rule with

    You should stop using modsec 1.9 syntax, use >2.0 rule syntax.
  3. c0ldshadow

    c0ldshadow New Member

    Thanks for the quick reply.

    I actually already tried the above but it doesn't work either:

    SecRule REQUEST_URI "/test\.php" chain
    SecRule &REQUEST_HEADERS:Accept-Language "@eq 0"

    I have other mod security rules which work fine (e.g. i can see the blocks when tailing the audit logs), but the one above doesn't work

    test method is curl http://blah.com/test.php (i can verify the accept-language header isn't set based on the wireshark capture)


    i have gracefully restarted litespeed each time i edit the rules
  4. mistwang

    mistwang LiteSpeed Staff

  5. c0ldshadow

    c0ldshadow New Member

    ok i put those settings on.

    rule:

    SecRule REQUEST_URI "/deathsgate\.png" chain
    SecRule &REQUEST_HEADERS:Accept-Language "@eq 0"

    test case:

    curl http://securityengineer.pro/deathsgate.png



    logs:

    2013-12-31 14:03:32.739 [INFO] [10.1.250.210:62537-0#securityengineer.pro] [SECURITY] match [REQUEST_URI] against pattern [/deathsgate\.png], result: 1
    2013-12-31 14:03:32.739 [INFO] [10.1.250.210:62537-0#securityengineer.pro] [SECURITY] match [&REQUEST_HEADERS:Accept-Language] against pattern [@eq 0], result: 0

    shouldnt the last line say "result: 1" since Accept-Language doesn't appear in this packet, and then the request would be blocked?
  6. c0ldshadow

    c0ldshadow New Member

    hi, just wanted to check if any update on this. still not having any luck getting this to work

    thanks for the help troubleshooting

    best regards
  7. mistwang

    mistwang LiteSpeed Staff

    It should be a bug, we will fix it now.
  8. c0ldshadow

    c0ldshadow New Member

    ok cool thanks a ton for the help. do you have an ETA when the fix will be made?


    best regards
    -Avery
  9. mistwang

    mistwang LiteSpeed Staff

    Please do a force reinstall of 4.2.6, should be fixed now.
  10. c0ldshadow

    c0ldshadow New Member

    thanks, it is fixed
  11. DraCoola

    DraCoola Member

    How to revert to older 4.2.6?
    This update bring 403 everywhere anywhere on my servers (using Atomic Ruleset).

    ------------------------------------------------------
    [client 202.67.39.21] mod_security: Access denied with code 403, [Rule: 'REQUEST_HEADERS:Content-Length' '!^0$'] [ID "392301"] [Msg "Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header"] [severity "NOTICE"] [MatchedString ""]
    ------------------------------------------------------

    I'll revert to 4.2.5
  12. c0ldshadow

    c0ldshadow New Member

    DraCoola, the rule may be working properly. Do you have the logs of the full request to see if content-type was in-fact missing from the header? might just be a rule prone to false positives which suddenly got turned on
  13. DraCoola

    DraCoola Member

    Hi c0ldshadow,

    The log which I found on apache/logs/error_log was this :

    -------------------------------------
    [ID: 392301] [Msg: Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header]2014-01-03 01:49:04.545 [NOTICE] [xxx.xxx.xxx.xxx:51084-0#APVH_162.213.211.40:443_xxxxxxxx.com] Content len: 0, Request line: 'GET /images/clients.gif HTTP/1.1'
    -------------------------------------

    All kind of sites produce the same error massively after update to latest 4.2.6
    I have browse those 403 sites with firefox, internet explorer, and chrome
  14. c0ldshadow

    c0ldshadow New Member

    odd

    is it possible to increase verbosity of the logs to see the entire HTTP request headers?

    in my logs i log entire request
  15. DraCoola

    DraCoola Member

    I can set SecDebugLogLevel to 9
    But pardon me that I cannot switch to the newest 4.2.6 right now because all sites inside the servers are currently on their busy hour.
    And also, many times of 403 will block visitors from firewall.
    So I will try to switch to 4.2.6 latter.
    I am now on 4.2.5 *sigh
  16. mistwang

    mistwang LiteSpeed Staff

    Please force reinstall 4.2.6 again.
    was trying to make

    SecRule REQUEST_HEADERS:Accept-Language "^$"

    works, but Apache mod_sec treat REQUEST_HEADERS:Content-Length differently, if it does not exist, Apache uses value of "0".
  17. DraCoola

    DraCoola Member

    Last edited: Jan 2, 2014
  18. DraCoola

    DraCoola Member

    Hi George, I'll try your 4.2.6 again and bring my update here soon
    Thanks!
  19. DraCoola

    DraCoola Member

    Wonderful support, George.
    It is now works as the old 4.2.6.
    And I hope it also still work for c0ldshadow.
    Thank you very much!

Share This Page