Re: [mod-security-users] [Modsecurity] ErrorDocument problem with 2.1.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Took this off of gotroot.com list and put it here.  See comments inline...

> I noticed that if I put this:
> 
> SecRule REQUEST_URI attack
> 
> In the second line of my main configuration file
> (modsecurity_crs_10_config.conf) - right after "SecRuleEngine on" the
> modified error page comes up as expected.

This would cause a deny with a 403 status code and your ErrorDocument
403  would handle it here.

> However, if I put the same line /after/ all the lines in that file, I
> get two "Internal Server Error" messages, plus an embedded internal

Define what you mean by two messages.  Two on a single page, or some
type of redirect?

> server error message "Additionally, a 500 Internal Server Error error
> was encountered while trying to use an ErrorDocument to handle the request."
> 
> It seems like the culprit is:
> 
> SecDefaultAction "phase:2,log,deny,status:500"
> 
> If I put that sample rule BEFORE the above line, ErrorDocument is OK. If
> I put it AFTER that line, ErrorDocument breaks.
> 
> What would be the correct setting to make sure that the custom error
> messages appear correctly? And more importantly, why would the above
> default action break it?

Anything after it would use a 500 status and the ErrorDocument 500
directive.  Are these two (403 and 500) directives different?

> I am just trying to wrap my head around these rules, and tweaking is
> driving me nuts, so sorry if I am asking a dumb question.

There were problems with the ErrorDocument directive in 2.1.2 and I
thought I had them fixed in 2.1.3.  If there are still problems after
verifying that the 403 and 500 ErrorDocuments are the same (or of
similar type), then please send me more data:

* Your config (at least the ErrorDocument directives and order of all
your LoadModule/LoadFile.  A simple, single file, stripped down config I
could use to duplicate would be ideal.
* Your Platform and OS.
* Apache httpd version and how installed (binary or from source).
* How did you install ModSecurity (binary or source)?

Additionally, would you try ModSecurity 2.1.4-rc4 to see if this fixes
your problem?

thanks,
-B

-- 
Brian Rectanus
Breach Security