[Mod-security-developers] [JIRA] Resolved: (MODSEC-376) Nginx server returns 500 instead of 403
Brought to you by:
victorhora,
zimmerletw
From: Breno S. P. (JIRA) <no...@mo...> - 2013-02-04 19:41:25
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-376?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Breno Silva Pinto resolved MODSEC-376. -------------------------------------- Resolution: Fixed > Nginx server returns 500 instead of 403 > --------------------------------------- > > Key: MODSEC-376 > URL: https://www.modsecurity.org/tracker/browse/MODSEC-376 > Project: ModSecurity > Issue Type: Bug > Security Level: Normal > Affects Versions: 2.7.1 > Environment: uname -a > Linux tamas 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux > lsb_release -a > Distributor ID: Ubuntu > Description: Ubuntu 12.04.1 LTS > Release: 12.04 > Codename: precise > nginx -V > nginx version: nginx/1.2.6 > built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) > TLS SNI support enabled > configure arguments: --prefix=/etc/nginx --with-http_ssl_module --with-debug --sbin-path=/sbin/nginx --conf-path=/etc/nginx/nginx.conf --with-http_stub_status_module --add-module=/home/modsecurity-apache_2.7.1/nginx/modsecurity > Reporter: Tamas Kokeny > Assignee: Breno Silva Pinto > Labels: nginx > Fix For: 2.7.3 > > > When I try to use my customised rule (SecRule TIME_HOUR "(19|20)" phase:2,auditlog,id:1,deny,log), Nginx returns 500 instead of ModSecurity's 403. > nginx.debug.log: > 2013/01/10 20:48:26 [debug] 20797#0: *1 modSecurity: handler > 2013/01/10 20:48:26 [debug] 20797#0: *1 modSecurity: method is not POST > 2013/01/10 20:48:26 [debug] 20797#0: *1 modSecurity: pass_to_backend > 2013/01/10 20:48:26 [debug] 20797#0: *1 ModSecurity: status: 403, need action > 2013/01/10 20:48:26 [debug] 20797#0: *1 http finalize request: 500, "/pic2.png?" a:1, c:1 > 2013/01/10 20:48:26 [debug] 20797#0: *1 http special response: 500, "/pic2.png?" > 2013/01/10 20:48:26 [debug] 20797#0: *1 http set discard body > 2013/01/10 20:48:26 [debug] 20797#0: *1 HTTP/1.1 500 Internal Server Error > modsecurity.error.log: > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Initialising transaction (txid 12345). > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Transaction context created (dcfg 7fd8abe00980). > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Starting phase REQUEST_HEADERS. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][9] This phase consists of 0 rule(s). > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Second phase starting (dcfg 7fd8abe00980). > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Input filter: This request does not have a body. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Starting phase REQUEST_BODY. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][9] This phase consists of 1 rule(s). > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Recipe: Invoking rule 7fd8abde9700; [file "/etc/nginx/modsecurity.conf"] [line "5"] [id "1"]. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][5] Rule 7fd8abde9700: SecRule "TIME_HOUR" "@rx (19|20)" "phase:2,auditlog,id:1,deny,log" > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Transformation completed in 4 usec. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Executing operator "rx" with param "(19|20)" against TIME_HOUR. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][9] Target value: "20" > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][6] Ignoring regex captures since "capture" action is not enabled. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Operator completed in 44 usec. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Rule returned 1. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][9] Match, intercepted -> returning. > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][1] Access denied with code 403 (phase 2). Pattern match "(19|20)" at TIME_HOUR. [file "/etc/nginx/modsecurity.conf"] [line "5"] [id "1"] > [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Hook insert_filter: Adding output filter (r 7fd8abdb30a0). -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |