|
From: Breno S. P. (JIRA) <no...@mo...> - 2012-12-14 17:44:18
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-350.
--------------------------------------
Fix Version/s: 2.7.2
Resolution: Fixed
> ModSecurityIIS:Outbound protections are not working
> ---------------------------------------------------
>
> Key: MODSEC-350
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-350
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Core
> Affects Versions: 2.7.0
> Environment: Server:IIS8 on Windows Server 2012
> Test Client: Wfetch on Windows Server 2008 R2
> Reporter: akurmi
> Assignee: Breno Silva Pinto
> Labels: IIS, ModSecurityIIS
> Fix For: 2.7.2
>
> Attachments: conf1.zip
>
>
> Here are the modsecurity rules:
> # Weblogic information disclosure
> SecRule RESPONSE_STATUS "^500$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',chain,t:none,capture,ctl:auditLogParts=+E,block,msg:'WebLogic information disclosure',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970021',severity:'3'"
> SecRule RESPONSE_BODY "<title>JSP compile error<\/title>" "t:none,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
> output from ModSecurityIIS:
> REQUEST: **************\nGET /testserver.aspx HTTP/1.1\r\n
> Response-Status: 500 Internal Server Error\r\n
> Response-Content: <title>JSP compile error</title>\r\n
> Host: iis-e111s\r\n
> Accept: */*\r\n
> \r\n
> RESPONSE: **************\nHTTP/1.1 500 Internal Server Error\r\n
> Cache-Control: private\r\n
> Content-Type: text/html; charset=utf-8\r\n
> Server: Microsoft-IIS/8.0\r\n
> X-AspNet-Version: 2.0.50727\r\n
> X-Powered-By: ASP.NET\r\n
> Date: Wed, 24 Oct 2012 05:29:52 GMT\r\n
> Content-Length: 3026\r\n
> \r\n
> <html>\r\n
> <head>\r\n
> <title>Runtime Error</title>\r\n
> <style>\r\n
> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} \r\n
> p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}\r\n
> b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}\r\n
> H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }\r\n
> H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }\r\n
> pre {font-family:"Lucida Console";font-size: .9em}\r\n
> .marker {font-weight: bold; color: black;text-decoration: none;}\r\n
> .version {color: gray;}\r\n
> .error {margin-bottom: 10px;}\r\n
> .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }\r\n
> </style>\r\n
> </head>\r\n
> \r\n
> <body bgcolor="white">\r\n
> \r\n
> <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n
> \r\n
> <h2> <i>Runtime Error</i> </h2></span>\r\n
> \r\n
> <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">\r\n
> \r\n
> <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.\r\n
> <br><br>\r\n
> \r\n
> <b>Details:</b> To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".<br><br>\r\n
> \r\n
> <table width=100% bgcolor="#ffffcc">\r\n
> <tr>\r\n
> <td>\r\n
> <code><pre>\r\n
> \r\n
> <!-- Web.Config Configuration File -->\r\n
> \r\n
> <configuration>\r\n
> <system.web>\r\n
> <customErrors mode="Off"/>\r\n
> </system.web>\r\n
> </configuration></pre></code>\r\n
> \r\n
> </td>\r\n
> </tr>\r\n
> </table>\r\n
> \r\n
> <br>\r\n
> \r\n
> <b>Notes:</b> The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.<br><br>\r\n
> \r\n
> <table width=100% bgcolor="#ffffcc">\r\n
> <tr>\r\n
> <td>\r\n
> <code><pre>\r\n
> \r\n
> <!-- Web.Config Configuration File -->\r\n
> \r\n
> <configuration>\r\n
> <system.web>\r\n
> <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>\r\n
> </system.web>\r\n
> </configuration></pre></code>\r\n
> \r\n
> </td>\r\n
> </tr>\r\n
> </table>\r\n
> \r\n
> <br>\r\n
> \r\n
> </body>\r\n
> </html>\r\n
> finished.
> # The application is not available
> SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970901',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
> SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
> "phase:4,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970118',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
> Response from ModSecurityIIS:
> REQUEST: **************\nGET /testserver.aspx HTTP/1.1\r\n
> Response-Status: 500 Internal Server Error\r\n
> Response-Content: <title>Microsoft OLE DB Provider for SQL Server</title>\r\n
> Host: iis-e111s\r\n
> Accept: */*\r\n
> \r\n
> RESPONSE: **************\nHTTP/1.1 500 Internal Server Error\r\n
> Cache-Control: private\r\n
> Content-Type: text/html; charset=utf-8\r\n
> Server: Microsoft-IIS/8.0\r\n
> X-AspNet-Version: 2.0.50727\r\n
> X-Powered-By: ASP.NET\r\n
> Date: Wed, 24 Oct 2012 05:31:36 GMT\r\n
> Content-Length: 3026\r\n
> \r\n
> <html>\r\n
> <head>\r\n
> <title>Runtime Error</title>\r\n
> <style>\r\n
> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} \r\n
> p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}\r\n
> b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}\r\n
> H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }\r\n
> H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }\r\n
> pre {font-family:"Lucida Console";font-size: .9em}\r\n
> .marker {font-weight: bold; color: black;text-decoration: none;}\r\n
> .version {color: gray;}\r\n
> .error {margin-bottom: 10px;}\r\n
> .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }\r\n
> </style>\r\n
> </head>\r\n
> \r\n
> <body bgcolor="white">\r\n
> \r\n
> <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n
> \r\n
> <h2> <i>Runtime Error</i> </h2></span>\r\n
> \r\n
> <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">\r\n
> \r\n
> <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.\r\n
> <br><br>\r\n
> \r\n
> <b>Details:</b> To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".<br><br>\r\n
> \r\n
> <table width=100% bgcolor="#ffffcc">\r\n
> <tr>\r\n
> <td>\r\n
> <code><pre>\r\n
> \r\n
> <!-- Web.Config Configuration File -->\r\n
> \r\n
> <configuration>\r\n
> <system.web>\r\n
> <customErrors mode="Off"/>\r\n
> </system.web>\r\n
> </configuration></pre></code>\r\n
> \r\n
> </td>\r\n
> </tr>\r\n
> </table>\r\n
> \r\n
> <br>\r\n
> \r\n
> <b>Notes:</b> The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.<br><br>\r\n
> \r\n
> <table width=100% bgcolor="#ffffcc">\r\n
> <tr>\r\n
> <td>\r\n
> <code><pre>\r\n
> \r\n
> <!-- Web.Config Configuration File -->\r\n
> \r\n
> <configuration>\r\n
> <system.web>\r\n
> <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>\r\n
> </system.web>\r\n
> </configuration></pre></code>\r\n
> \r\n
> </td>\r\n
> </tr>\r\n
> </table>\r\n
> \r\n
> <br>\r\n
> \r\n
> </body>\r\n
> </html>\r\n
> finished.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
