[Resolved] modsecurity bug - can't block traffic when HTTP request header is missing

Status
Not open for further replies.

c0ldshadow

Well-Known Member
#1
using litespeed 4.2.6

The following rule doesn't block requests to test.php which are missing the Accept-Language header:
Code:
SecFilterSelective REQUEST_URI "/test\.php" chain
SecFilterSelective HTTP_Accept-Language "^$"

please advise when bug fixed or if there is a work around
 
Last edited by a moderator:

c0ldshadow

Well-Known Member
#3
Thanks for the quick reply.

I actually already tried the above but it doesn't work either:
Code:
SecRule REQUEST_URI "/test\.php" chain
SecRule &REQUEST_HEADERS:Accept-Language "@eq 0"
I have other mod security rules which work fine (e.g. i can see the blocks when tailing the audit logs), but the one above doesn't work

test method is curl http://blah.com/test.php (i can verify the accept-language header isn't set based on the wireshark capture)


i have gracefully restarted litespeed each time i edit the rules
 
Last edited by a moderator:

c0ldshadow

Well-Known Member
#5
ok i put those settings on.

rule:
Code:
SecRule REQUEST_URI "/deathsgate\.png" chain
SecRule &REQUEST_HEADERS:Accept-Language "@eq 0"
test case:
Code:
curl http://securityengineer.pro/deathsgate.png
logs:
Code:
2013-12-31 14:03:32.739 [INFO] [10.1.250.210:62537-0#securityengineer.pro] [SECURITY] match [REQUEST_URI] against pattern [/deathsgate\.png], result: 1
2013-12-31 14:03:32.739 [INFO] [10.1.250.210:62537-0#securityengineer.pro] [SECURITY] match [&REQUEST_HEADERS:Accept-Language] against pattern [@eq 0], result: 0
shouldnt the last line say "result: 1" since Accept-Language doesn't appear in this packet, and then the request would be blocked?
 
Last edited by a moderator:

c0ldshadow

Well-Known Member
#6
hi, just wanted to check if any update on this. still not having any luck getting this to work

thanks for the help troubleshooting

best regards
 

mistwang

LiteSpeed Staff
#7
2013-12-31 14:03:32.739 [INFO] [10.1.250.210:62537-0#securityengineer.pro] [SECURITY] match [&REQUEST_HEADERS:Accept-Language] against pattern [@eq 0], result: 0

shouldnt the last line say "result: 1" since Accept-Language doesn't appear in this packet, and then the request would be blocked?
It should be a bug, we will fix it now.
 

DraCoola

Well-Known Member
#11
How to revert to older 4.2.6?
This update bring 403 everywhere anywhere on my servers (using Atomic Ruleset).

Code:
[client 202.67.39.21] mod_security: Access denied with code 403, [Rule: 'REQUEST_HEADERS:Content-Length' '!^0$'] [ID "392301"] [Msg "Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header"] [severity "NOTICE"] [MatchedString ""]
I'll revert to 4.2.5
 
Last edited by a moderator:

c0ldshadow

Well-Known Member
#12
DraCoola, the rule may be working properly. Do you have the logs of the full request to see if content-type was in-fact missing from the header? might just be a rule prone to false positives which suddenly got turned on
 

DraCoola

Well-Known Member
#13
Hi c0ldshadow,

The log which I found on apache/logs/error_log was this :
Code:
[ID: 392301] [Msg: Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header]2014-01-03 01:49:04.545 [NOTICE] [xxx.xxx.xxx.xxx:51084-0#APVH_162.213.211.40:443_xxxxxxxx.com] Content len: 0, Request line: 'GET /images/clients.gif HTTP/1.1'
All kind of sites produce the same error massively after update to latest 4.2.6
I have browse those 403 sites with firefox, internet explorer, and chrome
 
Last edited by a moderator:

DraCoola

Well-Known Member
#15
I can set SecDebugLogLevel to 9
But pardon me that I cannot switch to the newest 4.2.6 right now because all sites inside the servers are currently on their busy hour.
And also, many times of 403 will block visitors from firewall.
So I will try to switch to 4.2.6 latter.
I am now on 4.2.5 *sigh
 

mistwang

LiteSpeed Staff
#16
Please force reinstall 4.2.6 again.
was trying to make
Code:
SecRule REQUEST_HEADERS:Accept-Language "^$"
works, but Apache mod_sec treat REQUEST_HEADERS:Content-Length differently, if it does not exist, Apache uses value of "0".
 
Last edited by a moderator:

DraCoola

Well-Known Member
#17
According to this page : https://www.atomicorp.com/wiki/index.php/WAF_392301

I thought the latest lsws 4.2.6 is suddenly "cannot read" Content-Type?
 
Last edited by a moderator:

DraCoola

Well-Known Member
#18
Please force reinstall 4.2.6 again.
was trying to make

SecRule REQUEST_HEADERS:Accept-Language "^$"

works, but Apache mod_sec treat REQUEST_HEADERS:Content-Length differently, if it does not exist, Apache uses value of "0".
Hi George, I'll try your 4.2.6 again and bring my update here soon
Thanks!
 
Status
Not open for further replies.
Top