|
From: Bruno de A. <br...@sa...> - 2014-10-30 19:05:26
|
Hi Felipe,
All my other tests were from the 2.8.0 tar and not straight from git. For
this test I compiled it from the branch bruno_SecPcreMatchLimit and just
copied the .la and .so files to my test apache.
All I do replicate it is this:
this errors:
cookie=$(for i in {0..1499}; do echo -n x;done); curl -o /dev/null -v -H
"Cookie: shit=$cookie" http://host
this doesnt:
cookie=$(for i in {0..1498}; do echo -n x;done); curl -o /dev/null -v -H
"Cookie: shit=$cookie" http://host
Message: Rule 20c8cba8 [id "973302"][file
"/usr/local/apache2/conf/modsecurity.d/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line
"309"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Warning. Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED"
required. [file "/usr/local/apache2-nap/conf/mod_security.conf"] [line
"112"] [id "200005"] [msg "ModSecurity internal error flagged:
TX:MSC_PCRE_LIMITS_EXCEEDED"]
What I said on my original email about the Header size limit of 3985 bytes
is wrong, it's actually any single cookie of 1500 bytes that's the limit. I
guess it makes sense, considering the default pcre match limit is 1500.
Bruno
On 30 October 2014 13:31, Felipe Costa <FC...@tr...> wrote:
> Hi,
>
> Did you had a chance to test this branch in a clean environment?
> (new clone or even: git clean fxd)
>
> Can you share some info on your test environment? So I can try to
> replicate it hereŠ
>
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>
>
> From: Bruno de Almeida <br...@sa...>
> Reply-To: "mod...@li..."
> <mod...@li...>
> Date: Thursday, October 30, 2014 2:20 PM
> To: "mod...@li..."
> <mod...@li...>
> Cc: "mod...@li..."
> <mod...@li...>
> Subject: Re: [Mod-security-developers] [mod-security-users] Does
> SecPcreMatchLimit work?
>
>
> Thanks Felipe, but unless I've done something wrong, I got exactly the
> same behaviour.
>
> Compiling with default and increase values in config, I still got the
> error.
> Compiling with -enable-pcre-match-limit=200000 and decrease the values in
> config, I didn't get the errors.
>
>
> Bruno
>
>
> On 30 October 2014 12:36, Felipe Costa <FC...@tr...> wrote:
>
> Hi Bruno,
>
> It seems that those limits - while specified using SecPcreMatchLimit and
> SecPcreMatchLimitRecursion - was not being verified in 100% of the cases.
>
> Just made a quick patch to enforce those limits verification in 100% of
> the cases, it is currently being checked by our buildbots, it is available
> at this branch:
>
>
> https://github.com/SpiderLabs/ModSecurity/tree/bruno_SecPcreMatchLimit
> <
> http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz
> NITZTb1Q&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2ftree
> %2fbruno%5fSecPcreMatchLimit>
>
> Can you test it?
>
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com> <http://www.trustwave.com/>
>
>
>
>
>
>
>
> From: Bruno de Almeida <br...@sa...>
> Reply-To: "mod...@li..."
> <mod...@li...>
> Date: Thursday, October 30, 2014 11:56 AM
> To: "mod...@li..."
> <mod...@li...>
> Subject: [mod-security-users] Does SecPcreMatchLimit work?
>
>
> Hi All,
>
> I'm upgrading modsec and the owaps_crs ruls on some of our servers and I
> ran into a bit of an issue with some of the owasp rules, specifically the
> XSS ones that inspect Cookies.
>
> We have some rather large Cookie headers on our setup and I noticed that
> after compiling mod_sec with the following options, I was getting a LOT of
> 'Execution error - PCRE limits exceeded' errors.
>
> --host=x86_64-redhat-linux-gnu \
> --build=x86_64-redhat-linux-gnu \
> --target=x86_64-redhat-linux \
> --with-apxs=%{_apacheroot}/bin/apxs \
> --with-apr=%{_apacheroot}/bin/apr-1-config \
> --with-apu=%{_apacheroot}/bin/apu-1-config \
> --with-pcre=%{include_pcre} \
> --with-libxml=%{include_libxml2} \
> --enable-pcre-jit \
> --enable-pcre-study \
> --enable-lua-cache \
>
>
> I tried to increase SecPcreMatchLimit and SecPcreMatchLimitRecursion to
> very high numbers and it didn't make any difference.
>
>
> I also found that 3985 bytes was the maximum Cookie header size mod_sec
> would accept. 1 byte more and it would throw the PCRE limits exceeded
> error.
>
>
> I then re-compiled mod_sec and added these options:
>
> --enable-pcre-match-limit=200000 \
> --enable-pcre-match-limit-recursion=200000
>
>
> And the problem was gone, but I then tried to decrease the limits to very
> low numbers and I still wouldn't get the errors, which kind of tells me
> that changing these values after compilation doesn't work.
>
> These are the versions I'm running:
>
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity for Apache/2.8.0
> (http://www.modsecurity.org/
> <
> http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz
> ZIFcTf3g&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>
>
>
> <
> http://scanmail.trustwave.com/?c=4062&d=5tjS1In-ovEV28gWsuStqSbOwvejzmh-LC
> HFLJO5Bw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f
> <
> http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz
> ZIFcTf3g&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>>) configured.
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: APR compiled
> version="1.5.1"; loaded version="1.5.1"
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: PCRE compiled
> version="8.36 "; loaded version="8.36 2014-09-26"
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LUA compiled version="Lua
> 5.1"
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LIBXML compiled
> version="2.9.1"
>
>
>
> Thanks,
>
>
>
> --
> - Bruno
>
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information
> contained herein (including any reliance thereon) is strictly prohibited.
> If you received this transmission in error, please immediately contact the
> sender and destroy the material in its entirety, whether in electronic or
> hard copy format.
>
> ---------------------------------------------------------------------------
> ---
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> <
> http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGd2
> FLTMXcgw&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2
> fmod-security-developers>
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
>
>
>
>
>
> --
> - Bruno
>
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
--
- Bruno
|
