[mod-security-users] Upgraded to 2.1.2- Internal Error / Splitting Attack
Brought to you by:
victorhora,
zimmerletw
From: Jerry <gm...@ho...> - 2007-08-09 19:09:00
|
I just upgraded to 2.1.2. I'm receiving a couple of errors which I don't think are right: 1. Internal Error [Thu Aug 09 10:46:04 2007] [error] [client nn.nn.nn.nn] ModSecurity: Internal Error: Asked to intercept request in phase 1668834605. [hostname "widgets.co.uk"] [uri "/mystyles.css"] [Thu Aug 09 09:33:00 2007] [error] [client nn.nn.nn.nn] ModSecurity: Internal Error: Asked to intercept request in phase 1668834605. [hostname "widgets.co.uk"] [uri "/images/dot.gif"] This only seems to happen with .css .gif .jpg and .js files. A connection could be that in the httpd.conf file I turn off access logging for those types of files: **** httpd.conf SetEnvIf Request_URI "(\.gif|\.jpg|\.png|\.css|\.js)$" no_log CustomLog /logs/widgets_access.log "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v \"%{x-forwarded-for}i\" \"%{CLIENT-IP}i\"" env=!no_log ******** It is intermittent in that it does not happen for every visitor to the site though. Only some are setting this off. 2. HTTP Response Splitting Attack. Matched signature <%0a> [Thu Aug 09 12:00:40 2007] [error] [client nn.nn.nn.nn] ModSecurity: Access denied with code 400 (phase 2). Pattern match "%0[ad]" at REQUEST_HEADERS:Cookie. [id "950910"] [msg "HTTP Response Splitting Attack. Matched signature <%0a>"] [severity "ALERT"] [hostname www.widgets555.co.uk] [uri "/"] [Wed Aug 08 21:55:53 2007] [error] [client nn.nn.nn.nn] ModSecurity: Access denied with code 400 (phase 2). Pattern match "%0[ad]" at REQUEST_HEADERS:Cookie. [id "950910"] [msg "HTTP Response Splitting Attack. Matched signature <%0a>"] [severity "ALERT"] [hostname www.widgets555.co.uk] [uri "/widget_info.php?info=colour&widgetid=65722"] I am getting a lot of these, but again it is only for some users! I have turned off this rule for now as a handful of users (at least two I can confirm are genuine visitors) are triggering this. I do suspect though that it is catching a few bad guys but at the expense of some good guys. I don't think 1. is a problem for the site as I believe the images are being shown and just that modsec doesn't like it. 2. is a problem though. Is it safe to use with the rule turned off? I did not have that rule with earlier version of modsec and I am using php 5.2.3 which I believe is protected from the http splitting vulnerability. |