Re: [mod-security-users] Output Filters with mod_jk2

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Ivan,

first, it is the same with 404s. It is just a 404 header and message:

 HTTP/1.1 404 Not Found
 Date: Fri, 02 Sep 2005 08:19:54 GMT
 Server: 5
 Connection: close
 Content-Type: text/html; charset=iso-8859-1

 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
 <title>404 Not Found</title>
 </head><body>
 <h1>Not Found</h1>
 <p>The requested URL /fpi/testi.html was not found on this server.</p>
 <p>Additionally, a 404 Not Found
 error was encountered while trying to use an ErrorDocument to handle
 the request.</p>
 </body></html>

Maybe I was able to find something new regarding that. I have to explain
that the intention was to catch tomcats 404 error pages and instead
redirect the user or show him the general webserver error page. So I
created a 404 output rule (see it below, normally it should read
SecFilterSelective OUTPUT "HTTP Status 4[0-9][0-9]" but anyway).
I used evilstring as a placeholder in my last email. In fact, matching
evilstring works just fine. The real evil message which does not work is
that tomcat 404 page. That means: having the two output rules found
below and browsing the tomcat context, acess to a file containing
"evilstring" is being restricted fine with no internal server error. So
no problem there. But if you are tring to access a document inside the
context which is not there causing tomcat to send a 404 page to the
webserver, the 404 is being matched, but the custom error page is not
being delivered. So we have a pattern match and we can control the
headers (the header will be what is in mod_security.conf) but apache
gives back the internal server error as above (Just as if it could not
find the error page).

OK, so I created a file (testi.html) containing exactly the tomcat error
message. You can browse that file, modsecurity matches the 404 output
and you get the configured error page as expected. When I removed that
file and tried to access it again, tomcat was sending his 404 code and
the described error occured. You can see the requests in the L9 debug.

The only difference between the tomcat 404 and the webpage containing
exactly the same html code I can see is:

1. There is a trailing NULL at the end of the created webpage
2. The header sent by tomcat. When accessing the file, tomcat sends

 HTTP/1.1 200 OK
 ETag: W/"996-1125649082000"
 Last-Modified: Fri, 02 Sep 2005 08:18:02 GMT
 Content-Type: text/html
 Content-Length: 996
 Date: Fri, 02 Sep 2005 09:04:44 GMT
 Server: Apache-Coyote/1.1
 Connection: close

and after removing the file tomcat outputs

 HTTP/1.1 404 /fpi/testi.html
 Content-Type: text/html;charset=utf-8
 Content-Length: 997
 Date: Fri, 02 Sep 2005 09:05:55 GMT
 Server: Apache-Coyote/1.1
 Connection: close

Maybe it is about communication betwenn apache and mod_jk, where
modsecurity is not involved. But we can match that 404!?
Just have a look at the attached log. Maybe you have got an idea.
And here is my (stripped) config:

 SecChrootDir /usr/local/jail
 SecFilterEngine On
 SecFilterScanPOST On
 SecFilterCheckURLEncoding On
 SecFilterCheckUnicodeEncoding Off
 SecFilterCheckCookieFormat On
 SecFilterNormalizeCookies On
 SecFilterScanOutput On
 SecFilterOutputMimeTypes "(null) text/html text/plain"
 SecFilterForceByteRange 8 255
 SecServerSignature "5"
 SecAuditEngine RelevantOnly
 SecAuditLog logs/audit_log
 SecFilterDefaultAction "deny,log,pause:2231,status:404"
 SecFilterDebugLog logs/modsec_debug_log
 SecFilterDebugLevel 9
 SecFilterSelective OUTPUT "evilstring"
 SecFilterSelective OUTPUT "404"

Thanks in advance!
-mark

Ivan Ristic wrote:
> marks mlists wrote:
> 
>> Hello modsec guys,
>>
>> I am sure someone already used modsecurity on a webserver which is
>> connecting to tomcat servers. I am running into the following problem:
>>
>> Having rules like SecFilterSelective OUTPUT "evilstring" is working fine
>> as long as the document containing that evilstring is being served by
>> apache itself or of course, via mod_proxy. But it does not work like I
>> want it to with mod_jk(2).
>>
>> If I request a page within a context mapped by mod_jk, p.e.
>> /app/evilfile containing the string, I get a successful pattern match:
>> mod_security: Access denied with code 200. Pattern match "evilstring"
>> at OUTPUT [uri "/app/evilfile"]
> 
> 
>   From the above log message it would appear mod_security is configured
>   to respond with status code 200.
> 
>   What happens when you use:
> 
>   SecFilterSelective OUTPUT evilstring log,deny,status:404
> 
>   ?
> 
>> So does someone of you have a clue what to do or where to have a look
>> at? Thanks in advance.
> 
> 
>   We need to look at your configuration files and, possibly,
>   your debug log entries at level 9. Look here for the instructions:
>  http://www.modsecurity.org/documentation/support-request-checklist.html
> 