Thread: [mod-security-users] Friendly blocking fails when HTTP status set
Brought to you by:
victorhora,
zimmerletw
From: Walter H. <mo...@sp...> - 2013-09-15 15:57:40
|
Hi all, I'm battling a problem with friendly ErrorDocuments and ModSecurity. (I suspected the CRS, but now reproduced it myself with a minimal example.) If a script sets any non-200 status code, Apache does not do the 'friendly error' trick which is in the ModSecurity handbook. Instead, you get a default Apache 509 error, with "a 509 unused error was encountered while trying to use an ErrorDocument to handle the request." For example, if I use the following minimal example: SecDefaultAction phase:2,deny,log,status:509 ErrorDocument 509 /modsecurity-errorpage/ Alias /modsecurity-errorpage/ /opt/httpd/etc/apache22/mod_security2/errorpage/ <Directory "/opt/httpd/etc/apache22/mod_security2/errorpage/"> Order allow,deny Allow from all </Directory> SecRule RESPONSE_BODY "WEED" id:101010,phase:4,deny If I call some script test.php which contains: <?php echo 'WEED'; Then ModSec blocks it, I see my friendly blocking page and everything is great. However, if I put this in test.php: <?php header('HTTP/1.0 420'); echo 'WEED'; Or any other non-200 header… Then it's no more friendly blocking: I get "a 509 unused error was encountered while trying to use an ErrorDocument to handle the request." When I put some debug code in my errorpage that writes to the filesystem, I verify that the errorpage does not get executed at all. I experience this problem in the CRS, as it wisely catches 5xx response statuses ("Application not available"). But the default Apache 509 error is so ugly, that it forces me to not do friendly blocking. I have the feeling that Apache internally carries over the status code from the original request, so it refuses to handle the ErrorDocument. (An external ErrorDocument *does* work, but that does not allow me access to request variables.) I don't know if this can be mitigated, but I'm at a loss. Any input would be appreciated :) My version: ModSecurity 2.7.4 for Apache 2.2.25 on FreeBSD 8.4. Cheers, WH |
From: Reindl H. <h.r...@th...> - 2013-09-15 16:02:17
Attachments:
signature.asc
|
Am 15.09.2013 17:38, schrieb Walter Hop: > I'm battling a problem with friendly ErrorDocuments and ModSecurity. (I suspected the CRS, but now reproduced it myself with a minimal example.) > > If a script sets any non-200 status code, Apache does not do the 'friendly error' trick which is in the ModSecurity handbook. Instead, you get a default Apache 509 error, with "a 509 unused error was encountered while trying to use an ErrorDocument to handle the request." > > For example, if I use the following minimal example: > > SecDefaultAction phase:2,deny,log,status:509 > ErrorDocument 509 /modsecurity-errorpage/ > Alias /modsecurity-errorpage/ /opt/httpd/etc/apache22/mod_security2/errorpage/ > <Directory "/opt/httpd/etc/apache22/mod_security2/errorpage/"> > Order allow,deny > Allow from all > </Directory> there is no error 509 period why not using existing status codes like 400 and define for them a custom error page? this works for sure since we use 400 on all our machines if modsec is triggered http://www.thelounge.net/%3Cscript |
From: Walter H. <mo...@sp...> - 2013-09-15 18:02:47
|
> there is no error 509 > period > > why not using existing status codes like 400 and define for them > a custom error page? this works for sure since we use 400 on > all our machines if modsec is triggered > > http://www.thelounge.net/%3Cscript Hi Harald, I've tried that! I've attempted using error 400, 403, and 406 before mailing the list. The choice of error code has no effect on this problem at all. If *and only if* a website script sent a non-200 response status, and ModSecurity blocks in phase 3 or 4, no matter what the chosen ModSecurity-generated status is, the custom error page in ErrorDocument is not shown. For instance, with error 400, Apache says, "Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request." Can you see your custom ErrorDocument when a website script has sent a non-200 status? (So to test it, you must trigger some outbound rule; on inbound rules the script just won't run) Cheers, WH |
From: Reindl H. <h.r...@th...> - 2013-09-15 18:08:28
Attachments:
signature.asc
|
Am 15.09.2013 20:02, schrieb Walter Hop: >> there is no error 509 >> period >> >> why not using existing status codes like 400 and define for them >> a custom error page? this works for sure since we use 400 on >> all our machines if modsec is triggered >> >> http://www.thelounge.net/%3Cscript > > Hi Harald, > > I've tried that! I've attempted using error 400, 403, and 406 before mailing the list. The choice of error code has no effect on this problem at all. > > If *and only if* a website script sent a non-200 response status, and ModSecurity blocks in phase 3 or 4, no matter what the chosen ModSecurity-generated status is, the custom error page in ErrorDocument is not shown. i have no single phase 2 or phase 3 rule as well as no scor-based blocking > For instance, with error 400, Apache says, "Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request." > > Can you see your custom ErrorDocument when a website script has sent a non-200 status? > (So to test it, you must trigger some outbound rule; on inbound rules the script just won't run) no outbound rules here if i do not trust the output of my own server i have bigger problems than modsec |