[mod-security-users] Upgraded to 2.1.2- Internal Error / Splitting Attack

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I just upgraded to 2.1.2. I'm receiving a couple of errors which I don't
think are right:

1. Internal Error

[Thu Aug 09 10:46:04 2007] [error] [client nn.nn.nn.nn] ModSecurity:
Internal Error: Asked to intercept request in phase 1668834605. [hostname
"widgets.co.uk"] [uri "/mystyles.css"]

[Thu Aug 09 09:33:00 2007] [error] [client nn.nn.nn.nn] ModSecurity:
Internal Error: Asked to intercept request in phase 1668834605. [hostname
"widgets.co.uk"] [uri "/images/dot.gif"]

This only seems to happen with .css .gif .jpg and .js files. A connection
could be that in the httpd.conf file I turn off access logging for those
types of files:

**** httpd.conf

    SetEnvIf Request_URI "(\.gif|\.jpg|\.png|\.css|\.js)$" no_log
    CustomLog /logs/widgets_access.log "%a %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\" %T %v \"%{x-forwarded-for}i\"
\"%{CLIENT-IP}i\"" env=!no_log

********

It is intermittent in that it does not happen for every visitor to the site
though. Only some are setting this off.

2. HTTP Response Splitting Attack. Matched signature <%0a>

[Thu Aug 09 12:00:40 2007] [error] [client nn.nn.nn.nn] ModSecurity: Access
denied with code 400 (phase 2). Pattern match "%0[ad]" at
REQUEST_HEADERS:Cookie. [id "950910"] [msg "HTTP Response Splitting Attack.
Matched signature <%0a>"] [severity "ALERT"] [hostname www.widgets555.co.uk]
[uri "/"]

[Wed Aug 08 21:55:53 2007] [error] [client nn.nn.nn.nn] ModSecurity: Access
denied with code 400 (phase 2). Pattern match "%0[ad]" at
REQUEST_HEADERS:Cookie. [id "950910"] [msg "HTTP Response Splitting Attack.
Matched signature <%0a>"] [severity "ALERT"] [hostname www.widgets555.co.uk]
[uri "/widget_info.php?info=colour&widgetid=65722"]

I am getting a lot of these, but again it is only for some users! I have
turned off this rule for now as a handful of users (at least two I can
confirm are genuine visitors) are triggering this. I do suspect though that
it is catching a few bad guys but at the expense of some good guys.

I don't think 1. is a problem for the site as I believe the images are being
shown and just that modsec doesn't like it.

2. is a problem though. Is it safe to use with the rule turned off? I did
not have that rule with earlier version of modsec and I am using php 5.2.3
which I believe is protected from the http splitting vulnerability.