[Mod-security-developers] [JIRA] Resolved: (MODSEC-364) Modsecurity displaying wrong IP Address in

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

     [ https://www.modsecurity.org/tracker/browse/MODSEC-364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-364.
--------------------------------------

    Resolution: Fixed

> Modsecurity displaying wrong IP Address in Apache 2.4 (as backend) error log
> ----------------------------------------------------------------------------
>
>                 Key: MODSEC-364
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-364
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>          Components: Logging
>    Affects Versions: 2.7.0, 2.7.1
>         Environment: CentOS 5.8 x86, HTTPD 2.4.3
>            Reporter: Aditya W
>            Assignee: Breno Silva Pinto
>              Labels: 2.4.x, httpd
>             Fix For: 2.7.2
>
>
> Tested on Apache 2.4.3 with ModSecurity 2.7.0 (first) and then 2.7.1. Both of them displaying wrong ip address, it should display 192.168.11.1 not 127.0.0.1 or 192.168.11.2
> Apache configuration:
> 1. mod_remoteip enabled
> 2. logformat parameter has been changed to %a instead of the default %h so Apache can put the correct ip address in the logfile
> First Test using this configuration:
> ====================================
> RemoteIPHeader X-Remote-Addr
> RemoteIPInternalProxy 127.0.0.1
> RemoteIPInternalProxy 192.168.11.2
> Access Log
> ----------
> 192.168.11.1 - - [06/Dec/2012:14:49:48 +0700] "GET /test.html?i=%3Cscript%3Etest HTTP/1.1" 403 211 "http://www.domain-1.lan" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
> * Correct IP Address
> Modsecurity Audit Log
> ---------------------
> --aae1f609-A--
> [06/Dec/2012:15:08:59 +0700] UMBSm8CoCwIAABTYwcQAAABA 192.168.11.2 48573 192.168.11.2 82
> --aae1f609-B--
> GET /test.html?i=%3Cscript%3Etest HTTP/1.1
> Host: www.domain-1.lan
> Connection: close
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://www.domain-1.lan/
> * Wrong IP Address
> Apache Error Log by Modsecurity
> -------------------------
> [Thu Dec 06 14:59:43.263020 2012] [:error] [pid 5160:tid 3025914768] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at ARGS:i. [file "/usr/local/custom-apps/httpd/apache-2.4/conf/custom/modsec-rules/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: script>test found within ARGS:i: <script>test"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.domain-1.lan"] [uri "/test.html"] [unique_id "UMBQb8CoCwIAABQoXmwAAADA"]
> [Thu Dec 06 15:04:01.802295 2012] [:error] [pid 5264:tid 3025914768] [client 192.168.11.2] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at ARGS:i. [file "/usr/local/custom-apps/httpd/apache-2.4/conf/custom/modsec-rules/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: script>test found within ARGS:i: <script>test"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.domain-1.lan"] [uri "/test.html"] [unique_id "UMBRccCoCwIAABSQ1YsAAADA"]
> Both of them are displaying wrong ip address it should be 192.168.11.1
> Forcing Apache to generate error log
> ----------------------------
> [Thu Dec 06 14:54:56.483077 2012] [core:alert] [pid 4439:tid 3025914768] [client 192.168.11.1:39711] /home/user-1/public_html/.htaccess: Invalid command 'aaa', perhaps misspelled or defined by a module not included in the server configuration, referer: http://www.domain-1.lan
> * Correct IP Address
> Second test using this configuration
> ====================================
> RemoteIPHeader X-Remote-Addr
> RemoteIPTrustedProxy 127.0.0.1
> RemoteIPTrustedProxy 192.168.11.2
> Note: i think the correct way in this case / if it's in the same machine is using RemoteIPInternalProxy because according to https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
>  Unlike the RemoteIPInternalProxy directive, any intranet or private IP address reported by such proxies, including the 10/8, 172.16/12, 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public 2000::/3 block) are not trusted as the useragent IP, and are left in the RemoteIPHeader header's value
> Access log
> ----------
> 192.168.11.2 - - [06/Dec/2012:15:54:38 +0700] "GET /test.html?i=%3Cscript%3Etest HTTP/1.1" 403 211 "http://www.domain-1.lan/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0"
> * Wrong IP Address, i believe because of the reason i stated above but i could be wrong though
> Modsecurity Audit Log
> ---------------------
> --17d7e23e-A--
> [06/Dec/2012:15:54:38 +0700] UMBdTsCoCwIAABq@pdYAAADC 192.168.11.2 48598 192.168.11.2 82
> --17d7e23e-B--
> GET /test.html?i=%3Cscript%3Etest HTTP/1.1
> Host: www.domain-1.lan
> X-Remote-Addr: 192.168.11.1
> Connection: close
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://www.domain-1.lan/
> * Wrong IP Address but displaying the X-Remote-Addr specified on Apache config
> Forcing Apache to generate error log
> ----------------------------
> [Thu Dec 06 16:03:28.518751 2012] [core:alert] [pid 7077:tid 3025914768] [client 192.168.11.2:48604] /home/user-1/public_html/.htaccess: Invalid command 'aaa', perhaps misspelled or defined by a module not included in the server configuration, referer: http://www.domain-1.lan/
> * Wrong IP Address
> And i believe that's all, i'm sorry for a long post because i try to give as much info as i can

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Mod-security-developers] [JIRA] Resolved: (MODSEC-364) Modsecurity displaying wrong IP Address in

[Mod-security-developers] [JIRA] Resolved: (MODSEC-364) Modsecurity displaying wrong IP Address in Apache 2.4 (as backend) error log