[mod-security-users] Rule "GET or HEAD Request with Body Content." is catching a "POST" method

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello, i'm having a small issue with modsecurity and nginx

I'm getting the following blocking with the rule "GET or HEAD Request
with Body Content."

The thing is that this rule is catching a wrong method.

I'm sending this POST with a normal body content

*POST* /informacion-general-de-bomberos HTTP/1.1
Host: www.bomberos.cl
Content-Length: 33480
Cache-Control: max-age=0
Origin: http://www.bomberos.cl
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary85SDZfedhQBpvDB6
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://www.bomberos.cl/informacion-general-de-bomberos
Accept-Encoding: gzip, deflate
Accept-Language: es-MX,es;q=0.9,en-US;q=0.8,en;q=0.7,es-419;q=0.6
Cookie: 3207237d144523bf443786e09bde1502=plvhocs15n7eqp53og9mv9oq35;
__utma=153413291.1309598240.1555956994.1555956994.1555956994.1;
__utmc=153413291;
__utmz=153413291.1555956994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmt=1; __utmb=153413291.7.10.1555956994
Connection: close

------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="q"

#
------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="option"

com_contenido
------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="Itemid"

647
------WebKitFormBoundary85SDZfedhQBpvDB6
Content-Disposition: form-data; name="task"

buscarContenido
------WebKitFormBoundary85SDZfedhQBpvDB6--

This is the blocking info (catching a GET method but the request sent is
a POST):

Raw log:

{"transaction":{"client_ip":"190.215.55.78","time_stamp":"Mon Apr 22
14:34:45
2019","server_id":"7c160a00ee79198f898d4dd10daa0650753069e4","client_port":51391,"host_ip":"190.215.55.78","host_port":80,"unique_id":"155595808524.898826","request":{"*method":"GET"*,"http_version":1.1,"uri":"/informacion-general-de-bomberos","body":"------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data;
name=\"q\"\r\n\r\n#\r\n------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data;
name=\"option\"\r\n\r\ncom_contenido\r\n------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data;
name=\"Itemid\"\r\n\r\n647\r\n------WebKitFormBoundary85SDZfedhQBpvDB6\r\nContent-Disposition:
form-data;
name=\"task\"\r\n\r\nbuscarContenido\r\n------WebKitFormBoundary85SDZfedhQBpvDB6--\r\n","headers":{"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","Cache-Control":"max-age=0","Content-Type":"multipart/form-data;
boundary=----WebKitFormBoundary85SDZfedhQBpvDB6","User-Agent":"Mozilla/5.0
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/73.0.3683.75
Safari/537.36","DNT":"1","Origin":"http://www.bomberos.cl","Upgrade-Insecure-Requests":"1","Referer":"http://www.bomberos.cl/informacion-general-de-bomberos","Content-Length":"441","Host":"www.bomberos.cl","Accept-Encoding":"gzip,
deflate","Cookie":"3207237d144523bf443786e09bde1502=plvhocs15n7eqp53og9mv9oq35;
__utma=153413291.1309598240.1555956994.1555956994.1555956994.1;
__utmc=153413291;
__utmz=153413291.1555956994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
__utmt=1;
__utmb=153413291.7.10.1555956994","Accept-Language":"es-MX,es;q=0.9,en-US;q=0.8,en;q=0.7,es-419;q=0.6","Connection":"close"}},"response":{"http_code":403},"producer":{"*modsecurity":"ModSecurity
v3.0.3 (Linux)","connector":"ModSecurity-nginx
v1.0.0","secrules_engine":"Enabled","components":["OWASP_CRS/3.1.0\""**]*},"messages":[{"message":"GET
or HEAD Request with Body Content.","details":{"match":"Matched
\"Operator `Rx' with parameter `^0?$' against variable
`REQUEST_HEADERS:Content-Length' (Value: `441'
)","reference":"o0,3v0,3v84,3","ruleId":"*920170","file":"/opt/waf/nginx/etc/modsec_rules/www.bomberos.cl/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"229","data":"GET","severity":"2","ver":"OWASP_CRS/3.1.0*","rev":"","tags":[],"maturity":"0","accuracy":"0"}},{"message":"GET
or HEAD Request with Body Content.","details":{"match":"Matched
\"Operator `Rx' with parameter `^0?$' against variable
`REQUEST_HEADERS:Content-Length' (Value: `441'
)","reference":"o0,3v0,3v84,3","ruleId":"920170","file":"/opt/waf/nginx/etc/modsec_rules/www.bomberos.cl/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"229","data":"GET","severity":"2","ver":"OWASP_CRS/3.1.0","rev":"","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ","CAPEC-272"],"maturity":"0","accuracy":"0"}}]}}

Does anyone having the same issue ?

I haven't updated the components in a few months, maybe in a new version
this is fixed.

Cheers.

Chris.