[Mod-security-developers] [JIRA] Resolved: (MODSEC-376) Nginx server returns 500 instead of 403

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

     [ https://www.modsecurity.org/tracker/browse/MODSEC-376?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Breno Silva Pinto resolved MODSEC-376.
--------------------------------------

    Resolution: Fixed

> Nginx server returns 500 instead of 403
> ---------------------------------------
>
>                 Key: MODSEC-376
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-376
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>    Affects Versions: 2.7.1
>         Environment: uname -a
> Linux tamas 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
> lsb_release -a
> Distributor ID:	Ubuntu
> Description:	Ubuntu 12.04.1 LTS
> Release:	12.04
> Codename:	precise
> nginx -V
> nginx version: nginx/1.2.6
> built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) 
> TLS SNI support enabled
> configure arguments: --prefix=/etc/nginx --with-http_ssl_module --with-debug --sbin-path=/sbin/nginx --conf-path=/etc/nginx/nginx.conf --with-http_stub_status_module --add-module=/home/modsecurity-apache_2.7.1/nginx/modsecurity
>            Reporter: Tamas Kokeny
>            Assignee: Breno Silva Pinto
>              Labels: nginx
>             Fix For: 2.7.3
>
>
> When I try to use my customised rule (SecRule TIME_HOUR "(19|20)" phase:2,auditlog,id:1,deny,log), Nginx returns 500 instead of ModSecurity's 403.
> nginx.debug.log:
> 2013/01/10 20:48:26 [debug] 20797#0: *1 modSecurity: handler
> 2013/01/10 20:48:26 [debug] 20797#0: *1 modSecurity: method is not POST
> 2013/01/10 20:48:26 [debug] 20797#0: *1 modSecurity: pass_to_backend
> 2013/01/10 20:48:26 [debug] 20797#0: *1 ModSecurity: status: 403, need action
> 2013/01/10 20:48:26 [debug] 20797#0: *1 http finalize request: 500, "/pic2.png?" a:1, c:1
> 2013/01/10 20:48:26 [debug] 20797#0: *1 http special response: 500, "/pic2.png?"
> 2013/01/10 20:48:26 [debug] 20797#0: *1 http set discard body
> 2013/01/10 20:48:26 [debug] 20797#0: *1 HTTP/1.1 500 Internal Server Error
> modsecurity.error.log:
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Initialising transaction (txid 12345).
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Transaction context created (dcfg 7fd8abe00980).
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Starting phase REQUEST_HEADERS.
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][9] This phase consists of 0 rule(s).
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Second phase starting (dcfg 7fd8abe00980).
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Input filter: This request does not have a body.
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Starting phase REQUEST_BODY.
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][9] This phase consists of 1 rule(s).
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Recipe: Invoking rule 7fd8abde9700; [file "/etc/nginx/modsecurity.conf"] [line "5"] [id "1"].
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][5] Rule 7fd8abde9700: SecRule "TIME_HOUR" "@rx (19|20)" "phase:2,auditlog,id:1,deny,log"
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Transformation completed in 4 usec.
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Executing operator "rx" with param "(19|20)" against TIME_HOUR.
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][9] Target value: "20"
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][6] Ignoring regex captures since "capture" action is not enabled.
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Operator completed in 44 usec.
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Rule returned 1.
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][9] Match, intercepted -> returning.
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][1] Access denied with code 403 (phase 2). Pattern match "(19|20)" at TIME_HOUR. [file "/etc/nginx/modsecurity.conf"] [line "5"] [id "1"]
> [10/Jan/2013:20:48:26 +0100] [standalone/sid#7fd8abdfe0a0][rid#7fd8abdb30a0][/pic2.png][4] Hook insert_filter: Adding output filter (r 7fd8abdb30a0).

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira