ModSecurity

WWVzLCB0aGlzIGlzIHdoYXQgSSB3YXMgdGFsa2luZyBhYm91dC4NCg0KfiBPZmVyDQoNCj4gLS0t
LS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJvbTogbW9kLXNlY3VyaXR5LXVzZXJzLWJvdW5j
ZXNAbGlzdHMuc291cmNlZm9yZ2UubmV0IFttYWlsdG86bW9kLQ0KPiBzZWN1cml0eS11c2Vycy1i
b3VuY2VzQGxpc3RzLnNvdXJjZWZvcmdlLm5ldF0gT24gQmVoYWxmIE9mIFJ1YmVuIExhcmENCj4g
U2VudDogVHVlc2RheSwgU2VwdGVtYmVyIDI1LCAyMDA3IDY6MzggUE0NCj4gVG86IG1vZC1zZWN1
cml0eS11c2Vyc0BsaXN0cy5zb3VyY2Vmb3JnZS5uZXQNCj4gU3ViamVjdDogW21vZC1zZWN1cml0
eS11c2Vyc10gQ29ycmVjdGlvbjsgJTAwIGNoYXIgYW5kIDk2MDkwMSBydWxlDQo+IA0KPiANCj4g
U29ycnksIGkgbWlzdGFrZQ0KPiBJIHNhaWQ6DQo+IFNlY1J1bGUgQVJHU3xBUkdTX05BTUVTICJA
dmFsaWRhdGVCeXRlUmFuZ2UgMS0yNTUiIFwNCj4gICAgICAgICAiZGVueSxsb2csYXVkaXRsb2cs
c3RhdHVzOjQwMCxtc2c6J0ludmFsaWQgY2hhcmFjdGVyIGluDQo+IHJlcXVlc3QnLCxpZDonOTYw
OTAxJyxzZXZlcml0eTonNCcscGhhc2U6MiINCj4gU2VjUnVsZSBSRVFVRVNUX0hFQURFUlM6UmVm
ZXJlciAiQHZhbGlkYXRlQnl0ZVJhbmdlIDEtMjU1IiBcDQo+ICAgICAgICAgImRlbnksbG9nLGF1
ZGl0bG9nLHN0YXR1czo0MDAsbXNnOidJbnZhbGlkIGNoYXJhY3RlciBpbg0KPiByZXF1ZXN0Jyws
aWQ6Jzk2MDkxMScsc2V2ZXJpdHk6JzQnLHQ6dXJsRGVjb2RlVW5pLHBoYXNlOjIiDQo+IA0KPiBU
aGFuayB1DQo+IFJ1YmXFhCBMYXJhDQo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+IMKhWWEgZXN0w6EgYXF1w60gV2lu
ZG93cyBMaXZlIFNwYWNlcyEgQWhvcmEgcG9kcsOhcyBjcmVhciBmw6FjaWxtZW50ZSB0dQ0KPiBw
cm9waW8gc2l0aW8gV2ViLg0KPiBodHRwOi8vc3BhY2VzLmxpdmUuY29tL3NpZ251cC5hc3B4DQo+
IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tDQo+IC0tDQo+IFRoaXMgU0YubmV0IGVtYWlsIGlzIHNwb25zb3JlZCBi
eTogTWljcm9zb2Z0DQo+IERlZnkgYWxsIGNoYWxsZW5nZXMuIE1pY3Jvc29mdChSKSBWaXN1YWwg
U3R1ZGlvIDIwMDUuDQo+IGh0dHA6Ly9jbGsuYXRkbXQuY29tL01SVC9nby92c2UwMTIwMDAwMDcw
bXJ0L2RpcmVjdC8wMS8NCj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX18NCj4gbW9kLXNlY3VyaXR5LXVzZXJzIG1haWxpbmcgbGlzdA0KPiBtb2Qtc2VjdXJp
dHktdXNlcnNAbGlzdHMuc291cmNlZm9yZ2UubmV0DQo+IGh0dHBzOi8vbGlzdHMuc291cmNlZm9y
Z2UubmV0L2xpc3RzL2xpc3RpbmZvL21vZC1zZWN1cml0eS11c2Vycw0K

Well, this is a bug and a feature:

I will start with the bug. The rule correctly tries to identify encoded =
null character in the request as those have no valid use and are used in =
many exploits and evasion techniques.=20

However the rule implicitly performs double decoding as ARGS are decoded =
when parsing and than the rule itself performs a urlDecodeUni =
transformation. So you wrote "%00". The browser sent "%2500", encoding =
the percent sign which is OK. Than we decoded to "%00" and again to a =
null character, on which we alerted.

We have an open ticket to split the rule to two, one handling ARGS & =
ARGS_NAMES that are already decoded and the other location which should =
be decoded.

As to the feature: saying all that, an application sometimes double =
decode, so a %00 in the input might be dangerous. It is hard to protect =
a web site that deals with technology, and more specifically with =
security. Just think about this e-mail: would it pass an application =
firewall?

~ Ofer

Ofer Shezaf
ofers@..., Phone:+972-9-9560036 #212, Cell: +972-54-4431119

Leader, ModSecurity Core Rule Set Project;
CTO, Breach Security; Chair, OWASP Israel;=20


> -----Original Message-----
> From: mod-security-users-bounces@... [mailto:mod-
> security-users-bounces@...] On Behalf Of Ruben Lara
> Sent: Tuesday, September 25, 2007 1:08 PM
> To: mod-security-users@...
> Subject: [mod-security-users] %00 char and 960901 rule
>=20
>=20
> Hi,
> Im trying to post in my phpbb forum a line wich contain %00 char and i
> get a false positive:
>=20
> [Mon Sep 24 21:41:29 2007] [error] [client 192.168.1.50] ModSecurity:
> Access denied with code 400 (phase 2). Found 1 byte(s) outside range:
> 1-255. [id "960901"] [msg "Invalid character in request"] [severity
> "WARNING"] [hostname "www.bermejator.com"] [uri
> =
"/forum/posting.php?mode=3Dedit&f=3D33&sid=3D1bbae563df5ac108526808f52b7b=
24d1
> &t=3D13&p=3D19"] [unique_id "zo1qB8CoAW4AASoSC7UAAAAF"]
>=20
> Why this char is out of range=BF? how can i solve it=BF?
>=20
> Thank u
> Rub=E9n Lara
> _________________________________________________________________
> Consigue el nuevo Windows Live Messenger
> http://get.live.com/messenger/overview
> =
-----------------------------------------------------------------------
> --
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

I don't know if i understand all:
I did next change:

SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
        "deny,log,auditlog,status:400,msg:'Invalid character in request',,i=
d:'960901',severity:'4',phase:2"
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" =
\
        "deny,log,auditlog,status:400,msg:'Invalid character in request',,i=
d:'960901',severity:'4',t:urlDecodeUni,phase:2"



----------------------------------------> Subject: RE: [mod-security-users]=
 %00 char and 960901 rule> Date: Tue, 25 Sep 2007 07:55:07 -0400> From: Ofe=
rS@...> To: bermejator@...; mod-security-users@...=
orge.net>> Well, this is a bug and a feature:>> I will start with the bug. =
The rule correctly tries to identify encoded null character in the request =
as those have no valid use and are used in many exploits and evasion techni=
ques.>> However the rule implicitly performs double decoding as ARGS are de=
coded when parsing and than the rule itself performs a urlDecodeUni transfo=
rmation. So you wrote "%00". The browser sent "%2500", encoding the percent=
 sign which is OK. Than we decoded to "%00" and again to a null character, =
on which we alerted.>> We have an open ticket to split the rule to two, one=
 handling ARGS & ARGS_NAMES that are already decoded and the other location=
 which should be decoded.>> As to the feature: saying all that, an applicat=
ion sometimes double decode, so a %00 in the input might be dangerous. It i=
s hard to protect a web site that deals with technology, and more specifica=
lly with security. Just think about this e-mail: would it pass an applicati=
on firewall?>> ~ Ofer>> Ofer Shezaf> ofers@..., Phone:+972-9-9560036=
 #212, Cell: +972-54-4431119>> Leader, ModSecurity Core Rule Set Project;> =
CTO, Breach Security; Chair, OWASP Israel;>>>> -----Original Message----->>=
 From: mod-security-users-bounces@... [mailto:mod->> secu=
rity-users-bounces@...] On Behalf Of Ruben Lara>> Sent: T=
uesday, September 25, 2007 1:08 PM>> To: mod-security-users@...=
ge.net>> Subject: [mod-security-users] %00 char and 960901 rule>>>>>> Hi,>>=
 Im trying to post in my phpbb forum a line wich contain %00 char and i>> g=
et a false positive:>>>> [Mon Sep 24 21:41:29 2007] [error] [client 192.168=
.1.50] ModSecurity:>> Access denied with code 400 (phase 2). Found 1 byte(s=
) outside range:>> 1-255. [id "960901"] [msg "Invalid character in request"=
] [severity>> "WARNING"] [hostname "www.bermejator.com"] [uri>> "/forum/pos=
ting.php?mode=3Dedit&f=3D33&sid=3D1bbae563df5ac108526808f52b7b24d1>> &t=3D1=
3&p=3D19"] [unique_id "zo1qB8CoAW4AASoSC7UAAAAF"]>>>> Why this char is out =
of range=BF? how can i solve it=BF?>>>> Thank u>> Rub=E9n Lara>>=20
_________________________________________________________________
Llama a tus amigos de PC a PC: =A1Es GRATIS!
http://get.live.com/messenger/overview=

Why are you not using the latest 2.1.3?  Have you tried that version?

If you could get me a backtrace that would be great.  Just send it to me
privately.  See: http://httpd.apache.org/dev/debugging.html

Also, please note any other modules you are loading/using.  If you would
send your apache/modsec config that would be great as well.

thanks,
-B

hanj wrote:
> Hello All
> 
> I'm running into a segfault issue with the latest upgrade to
> mod_sec-2.1.2. I just upgraded to apache-2.2 and mod_sec-2.1.2
> lastnight, and I'm starting to see some files in /tmp that point to
> potential issues with mod_sec on my server. These files also correlate
> with Apache Seg Faults.. but nothing is in modsec_audit.log or
> modsec_debug.log with the time or unique ID.
> 
> Any ideas how to isolate this?
> 
> -rw-------  1 apache apache     0 Sep 24 05:31
> 20070924-053156-98m3oUE9nXMAAFCnrIMAAAAR-file-pOVRWi
> -rw-------  1 apache apache     0 Sep 24 07:09
> 20070924-070916-U@...
> -rw-------  1 apache apache     0 Sep 24 09:22
> 20070924-092242-MRbbJEE9nXMAAD44ML0AAAAL-file-JMQDHo
> -rw-------  1 apache apache 91844 Sep 24 12:12
> 20070924-121227-kCVsM0E9nXMAAA8ol@...
> -rw-------  1 apache apache     0 Sep 24 15:16
> 20070924-151626-IiW5REE9nXMAAF1jIRcAAAAI-file-rICMwH
> -rw-------  1 apache apache     0 Sep 24 15:20
> 20070924-152038-MTFiLkE9nXMAAFuzEoAAAAAD-file-qU2nn1
> -rw-------  1 apache apache     0 Sep 24 15:23
> 20070924-152306-OgI-QEE9nXMAAGBuXosAAAAP-file-0UQQLj
> -rw-------  1 apache apache     0 Sep 24 15:32
> 20070924-153257-XTjscUE9nXMAAF09ZXoAAAAE-file-HVuOIJ
> -rw-------  1 apache apache     0 Sep 24 15:36
> 20070924-153630-ad8ukEE9nXMAAGWqV1UAAAAH-file-gYpkuQ
> -rw-------  1 apache apache     0 Sep 24 15:41
> 20070924-154146-fLp9@...
> -rw-------  1 apache apache     0 Sep 24 16:05
> 20070924-160501-z@...
> -rw-------  1 apache apache     0 Sep 24 16:05
> 20070924-160524-0TzFm0E9nXMAAHH3zTEAAAAI-file-zllhVW
> -rw-------  1 apache apache     0 Sep 24 16:05
> 20070924-160552-0u5C2kE9nXMAAGzKYCUAAAAP-file-J9rml7
> -rw-------  1 apache apache     0 Sep 24 16:06
> 20070924-160626-1PcBWEE9nXMAAHRL4cIAAAAE-file-mEkDl3
> -rw-------  1 apache apache     0 Sep 24 16:06
> 20070924-160650-1mZPQEE9nXMAAHS7xmQAAAAP-file-90G58M
> -rw-------  1 apache apache     0 Sep 24 16:07
> 20070924-160727-2JrPCkE9nXMAAHUnP3sAAAAV-file-QsEarx
> -rw-------  1 apache apache     0 Sep 24 16:07
> 20070924-160751-2gFapUE9nXMAAHUkPr8AAAAP-file-8VkCcv
> -rw-------  1 apache apache     0 Sep 24 16:08
> 20070924-160835-3Kd2dkE9nXMAAHYSLHwAAAAC-file-iLI43Z
> -rw-------  1 apache apache     0 Sep 24 16:31
> 20070924-163153-L-QWqUE9nXMAAH6C0-QAAAAT-file-V2pHMN
> -rw-------  1 apache apache     0 Sep 24 16:33
> 20070924-163302-NB2oA0E9nXMAAH6Q-7oAAAAe-file-RGqSWk
> -rw-------  1 apache apache     0 Sep 24 16:35
> 20070924-163556-Pm1RzUE9nXMAAH6bJwIAAAAo-file-ZrH22g
> -rw-------  1 apache apache     0 Sep 24 16:40
> 20070924-164002-TRmK5UE9nXMAAARWPBEAAAAQ-file-yM89j7
> -rw-------  1 apache apache     0 Sep 24 16:42
> 20070924-164215-VQf-nUE9nXMAAAQippUAAAAL-file-doJPld
> -rw-------  1 apache apache     0 Sep 24 17:27
> 20070924-172702-9Tt-PEE9nXMAABYzYpEAAAAE-file-z83cW6
> -rw-------  1 apache apache     0 Sep 24 17:35
> 20070924-173506-Eg92jkE9nXMAABJRGEIAAAAG-file-WeH8PQ
> -rw-------  1 apache apache     0 Sep 24 17:39
> 20070924-173936-IijOhkE9nXMAABefSh0AAAAE-file-EXnO8b
> -rw-------  1 apache apache     0 Sep 24 17:41
> 20070924-174119-KEZ@...
> 
> 
> 
> [Mon Sep 24 05:31:57 2007] [notice] child pid 20647 exit signal
> Segmentation fault (11)
> [Mon Sep 24 07:09:17 2007] [notice] child pid 4065 exit signal
> Segmentation fault (11)
> [Mon Sep 24 09:22:43 2007] [notice] child pid 15928 exit signal
> Segmentation fault (11)
> [Mon Sep 24 12:12:29 2007] [notice] child pid 3880 exit signal
> Segmentation fault (11)
> [Mon Sep 24 15:16:27 2007] [notice] child pid 23907 exit signal
> Segmentation fault (11)
> [Mon Sep 24 15:20:39 2007] [notice] child pid 23475 exit signal
> Segmentation fault (11)
> [Mon Sep 24 15:23:07 2007] [notice] child pid 24686 exit signal
> Segmentation fault (11)
> [Mon Sep 24 15:32:57 2007] [notice] child pid 23869 exit signal
> Segmentation fault (11)
> [Mon Sep 24 15:36:30 2007] [notice] child pid 26026 exit signal
> Segmentation fault (11)
> [Mon Sep 24 15:41:46 2007] [notice] child pid 26085 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:05:03 2007] [notice] child pid 28263 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:05:24 2007] [notice] child pid 29175 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:05:53 2007] [notice] child pid 27850 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:06:28 2007] [notice] child pid 29771 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:06:51 2007] [notice] child pid 29883 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:07:28 2007] [notice] child pid 29991 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:07:51 2007] [notice] child pid 29988 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:08:35 2007] [notice] child pid 30226 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:31:53 2007] [notice] child pid 32386 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:33:03 2007] [notice] child pid 32400 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:35:56 2007] [notice] child pid 32411 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:40:02 2007] [notice] child pid 1110 exit signal
> Segmentation fault (11)
> [Mon Sep 24 16:42:16 2007] [notice] child pid 1058 exit signal
> Segmentation fault (11)
> [Mon Sep 24 17:27:03 2007] [notice] child pid 5683 exit signal
> Segmentation fault (11)
> [Mon Sep 24 17:35:07 2007] [notice] child pid 4689 exit signal
> Segmentation fault (11)
> [Mon Sep 24 17:39:36 2007] [notice] child pid 6047 exit signal
> Segmentation fault (11)
> [Mon Sep 24 17:41:19 2007] [notice] child pid 6808 exit signal
> Segmentation fault (11)
> 
> The file that's not zero length is a JPG, so I tested uploads, and
> everything worked as expected. Not sure why I'm not seeing the unique
> ID in the logs. I did not have any problems with the older version
> ( apache-2.0.58-r2 / mod_security-2.1.1-r1 ). Unfortunately, rolling
> back will be a major pain.
> 
> Here are my logging options:
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^[45]"
> SecAuditLogType Serial
> SecAuditLog /var/log/apache2/modsec_audit.log
> SecAuditLogParts "ABIFHZ"
> SecDebugLog /var/log/apache2/modsec_debug.log
> SecDebuLogLogLevel 3
> 
> The bottom line.. I'm unable to reproduce this.
> 
> Thanks!
> hanj
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users


-- 
Brian Rectanus
Breach Security

Additionally the output of 'httpd -V' would be good to have.

thanks,
-B

Brian Rectanus wrote:
> Why are you not using the latest 2.1.3?  Have you tried that version?
> 
> If you could get me a backtrace that would be great.  Just send it to me
> privately.  See: http://httpd.apache.org/dev/debugging.html
> 
> Also, please note any other modules you are loading/using.  If you would
> send your apache/modsec config that would be great as well.
> 
> thanks,
> -B
> 
> hanj wrote:
>> Hello All
>>
>> I'm running into a segfault issue with the latest upgrade to
>> mod_sec-2.1.2. I just upgraded to apache-2.2 and mod_sec-2.1.2
>> lastnight, and I'm starting to see some files in /tmp that point to
>> potential issues with mod_sec on my server. These files also correlate
>> with Apache Seg Faults.. but nothing is in modsec_audit.log or
>> modsec_debug.log with the time or unique ID.
>>
>> Any ideas how to isolate this?
>>
>> -rw-------  1 apache apache     0 Sep 24 05:31
>> 20070924-053156-98m3oUE9nXMAAFCnrIMAAAAR-file-pOVRWi
>> -rw-------  1 apache apache     0 Sep 24 07:09
>> 20070924-070916-U@...
>> -rw-------  1 apache apache     0 Sep 24 09:22
>> 20070924-092242-MRbbJEE9nXMAAD44ML0AAAAL-file-JMQDHo
>> -rw-------  1 apache apache 91844 Sep 24 12:12
>> 20070924-121227-kCVsM0E9nXMAAA8ol@...
>> -rw-------  1 apache apache     0 Sep 24 15:16
>> 20070924-151626-IiW5REE9nXMAAF1jIRcAAAAI-file-rICMwH
>> -rw-------  1 apache apache     0 Sep 24 15:20
>> 20070924-152038-MTFiLkE9nXMAAFuzEoAAAAAD-file-qU2nn1
>> -rw-------  1 apache apache     0 Sep 24 15:23
>> 20070924-152306-OgI-QEE9nXMAAGBuXosAAAAP-file-0UQQLj
>> -rw-------  1 apache apache     0 Sep 24 15:32
>> 20070924-153257-XTjscUE9nXMAAF09ZXoAAAAE-file-HVuOIJ
>> -rw-------  1 apache apache     0 Sep 24 15:36
>> 20070924-153630-ad8ukEE9nXMAAGWqV1UAAAAH-file-gYpkuQ
>> -rw-------  1 apache apache     0 Sep 24 15:41
>> 20070924-154146-fLp9@...
>> -rw-------  1 apache apache     0 Sep 24 16:05
>> 20070924-160501-z@...
>> -rw-------  1 apache apache     0 Sep 24 16:05
>> 20070924-160524-0TzFm0E9nXMAAHH3zTEAAAAI-file-zllhVW
>> -rw-------  1 apache apache     0 Sep 24 16:05
>> 20070924-160552-0u5C2kE9nXMAAGzKYCUAAAAP-file-J9rml7
>> -rw-------  1 apache apache     0 Sep 24 16:06
>> 20070924-160626-1PcBWEE9nXMAAHRL4cIAAAAE-file-mEkDl3
>> -rw-------  1 apache apache     0 Sep 24 16:06
>> 20070924-160650-1mZPQEE9nXMAAHS7xmQAAAAP-file-90G58M
>> -rw-------  1 apache apache     0 Sep 24 16:07
>> 20070924-160727-2JrPCkE9nXMAAHUnP3sAAAAV-file-QsEarx
>> -rw-------  1 apache apache     0 Sep 24 16:07
>> 20070924-160751-2gFapUE9nXMAAHUkPr8AAAAP-file-8VkCcv
>> -rw-------  1 apache apache     0 Sep 24 16:08
>> 20070924-160835-3Kd2dkE9nXMAAHYSLHwAAAAC-file-iLI43Z
>> -rw-------  1 apache apache     0 Sep 24 16:31
>> 20070924-163153-L-QWqUE9nXMAAH6C0-QAAAAT-file-V2pHMN
>> -rw-------  1 apache apache     0 Sep 24 16:33
>> 20070924-163302-NB2oA0E9nXMAAH6Q-7oAAAAe-file-RGqSWk
>> -rw-------  1 apache apache     0 Sep 24 16:35
>> 20070924-163556-Pm1RzUE9nXMAAH6bJwIAAAAo-file-ZrH22g
>> -rw-------  1 apache apache     0 Sep 24 16:40
>> 20070924-164002-TRmK5UE9nXMAAARWPBEAAAAQ-file-yM89j7
>> -rw-------  1 apache apache     0 Sep 24 16:42
>> 20070924-164215-VQf-nUE9nXMAAAQippUAAAAL-file-doJPld
>> -rw-------  1 apache apache     0 Sep 24 17:27
>> 20070924-172702-9Tt-PEE9nXMAABYzYpEAAAAE-file-z83cW6
>> -rw-------  1 apache apache     0 Sep 24 17:35
>> 20070924-173506-Eg92jkE9nXMAABJRGEIAAAAG-file-WeH8PQ
>> -rw-------  1 apache apache     0 Sep 24 17:39
>> 20070924-173936-IijOhkE9nXMAABefSh0AAAAE-file-EXnO8b
>> -rw-------  1 apache apache     0 Sep 24 17:41
>> 20070924-174119-KEZ@...
>>
>>
>>
>> [Mon Sep 24 05:31:57 2007] [notice] child pid 20647 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 07:09:17 2007] [notice] child pid 4065 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 09:22:43 2007] [notice] child pid 15928 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 12:12:29 2007] [notice] child pid 3880 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 15:16:27 2007] [notice] child pid 23907 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 15:20:39 2007] [notice] child pid 23475 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 15:23:07 2007] [notice] child pid 24686 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 15:32:57 2007] [notice] child pid 23869 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 15:36:30 2007] [notice] child pid 26026 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 15:41:46 2007] [notice] child pid 26085 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:05:03 2007] [notice] child pid 28263 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:05:24 2007] [notice] child pid 29175 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:05:53 2007] [notice] child pid 27850 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:06:28 2007] [notice] child pid 29771 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:06:51 2007] [notice] child pid 29883 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:07:28 2007] [notice] child pid 29991 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:07:51 2007] [notice] child pid 29988 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:08:35 2007] [notice] child pid 30226 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:31:53 2007] [notice] child pid 32386 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:33:03 2007] [notice] child pid 32400 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:35:56 2007] [notice] child pid 32411 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:40:02 2007] [notice] child pid 1110 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 16:42:16 2007] [notice] child pid 1058 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 17:27:03 2007] [notice] child pid 5683 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 17:35:07 2007] [notice] child pid 4689 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 17:39:36 2007] [notice] child pid 6047 exit signal
>> Segmentation fault (11)
>> [Mon Sep 24 17:41:19 2007] [notice] child pid 6808 exit signal
>> Segmentation fault (11)
>>
>> The file that's not zero length is a JPG, so I tested uploads, and
>> everything worked as expected. Not sure why I'm not seeing the unique
>> ID in the logs. I did not have any problems with the older version
>> ( apache-2.0.58-r2 / mod_security-2.1.1-r1 ). Unfortunately, rolling
>> back will be a major pain.
>>
>> Here are my logging options:
>> SecAuditEngine RelevantOnly
>> SecAuditLogRelevantStatus "^[45]"
>> SecAuditLogType Serial
>> SecAuditLog /var/log/apache2/modsec_audit.log
>> SecAuditLogParts "ABIFHZ"
>> SecDebugLog /var/log/apache2/modsec_debug.log
>> SecDebuLogLogLevel 3
>>
>> The bottom line.. I'm unable to reproduce this.
>>
>> Thanks!
>> hanj
>>
>>
>>
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
> 


-- 
Brian Rectanus
Breach Security