Re: [mod-security-users] Upgrade to owasp-coreruleset 4.13.0
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Upgrade to owasp-coreruleset 4.13.0
|
From: Andrew H. <and...@ow...> - 2025-04-06 18:34:21
|
Hi Monah,
If in doubt, a concrete troubleshooting step would be to enable debug
logging (to the highest level), re-test, and see precisely what is
(and what is not) happening.
You should be able to observe in the debug log:
* Rule 900990 executing
* The action setvar:tx.crs_setup_version=4130 being executed
* Rule 901001 executing
* The operator &TX:crs_setup_version "@eq 0" being evaluated
Thanks,
Andrew
On Sun, 6 Apr 2025 at 14:19, Monah Baki <mon...@gm...> wrote:
>
> No custom rules.
>
> What I did is I renamed my owasp 4.13.0 to a different folder and moved my owasp crs 4.8.0 back to its original folder, restarted apache and from another machine typed the following:
> curl -I https://osisolutions.net/index.php?f=/../../../../../etc/passwd
>
> root@waf:/usr/local/etc/modsecurity # tail -f /var/log/httpd/osisolutions-error_log
> [Sun Apr 06 09:10:54.062738 2025] [security2:error] [pid 47174] [client 71.126.165.145:53450] ModSecurity: Warning. Pattern match "(?i)(?:[/\\\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\\\\.(?:%0[01]|\\\\?)?|\\\\?\\\\.?|%(?:2( ..." at REQUEST_URI_RAW. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "53"] [id "930100"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI_RAW: /index.php?f=/../../../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.8.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9XgOebQ1Fdmj9nC2ctgAAAAA"]
> [Sun Apr 06 09:10:54.063066 2025] [security2:error] [pid 47174] [client 71.126.165.145:53450] ModSecurity: Warning. Pattern match "(?i)(?:[/\\\\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\\\\.(?:%0[01]|\\\\?)?|\\\\?\\\\.?|%(?:2( ..." at ARGS:f. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "53"] [id "930100"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within ARGS:f: /../../../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.8.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9XgOebQ1Fdmj9nC2ctgAAAAA"]
> [Sun Apr 06 09:10:54.063240 2025] [security2:error] [pid 47174] [client 71.126.165.145:53450] ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at REQUEST_URI. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?f=/../../../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.8.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9XgOebQ1Fdmj9nC2ctgAAAAA"]
> [Sun Apr 06 09:10:54.063389 2025] [security2:error] [pid 47174] [client 71.126.165.145:53450] ModSecurity: Warning. Pattern match "(?:(?:^|[\\\\x5c/;])\\\\.{2,3}[\\\\x5c/;]|[\\\\x5c/;]\\\\.{2,3}(?:[\\\\x5c/;]|$))" at REQUEST_URI. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "86"] [id "930110"] [msg "Path Traversal Attack (/../) or (/.../)"] [data "Matched Data: /../ found within REQUEST_URI: /index.php?f=/../../../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.8.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9XgOebQ1Fdmj9nC2ctgAAAAA"]
>
>
>
> Went and reverted back my owasp 4.13.0 folder and ran the same curl command and got
>
> [Sun Apr 06 09:12:38.731325 2025] [security2:error] [pid 47228] [client 71.126.165.145:57026] ModSecurity: Access denied with code 500 (phase 1). Operator EQ matched 0 at TX. [file "/usr/local/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf"] [line "64"] [id "901001"] [msg "CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"] [ver "OWASP_CRS/4.13.0"] [tag "OWASP_CRS"] [hostname "osisolutions.net"] [uri "/index.php"] [unique_id "Z_J9xiNCfPcpnd_qywN4xQAAAAA"]
>
> On Sun, Apr 6, 2025 at 9:08 AM <az...@po...> wrote:
>>
>> Are you using any custom rules or CRS modifications?
>>
>>
>>
>>
>>
>> Citát Monah Baki <mon...@gm...>:
>>
>> > Hi Ervin,
>> >
>> > Here is he output
>> > root@waf:/usr/local/etc/apache24 # grep -A12 900990
>> > /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf
>> > "id:900990,\
>> > phase:1,\
>> > pass,\
>> > t:none,\
>> > nolog,\
>> > tag:'OWASP_CRS',\
>> > ver:'OWASP_CRS/4.13.0',\
>> > setvar:tx.crs_setup_version=4130"
>> >
>> > As far as my apache using
>> > /usr/local/etc/apache24/modules.d/280_mod_security.conf, I am sure because
>> > if I were to comment
>> > LoadModule unique_id_module libexec/apache24/mod_unique_id.so
>> > LoadModule security2_module /usr/local/modsecurity/lib/mod_security2.so
>> >
>> > I get
>> >
>> > root@waf:/home/mbaki # apachectl restart
>> > Performing sanity check on apache24 configuration:
>> > AH00526: Syntax error on line 97 of
>> > /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf:
>> > Invalid command 'SecDefaultAction', perhaps misspelled or defined by a
>> > module not included in the server configuration
>> >
>> > Thanks
>> > Monah
>> >
>> > On Sun, Apr 6, 2025 at 4:54 AM Ervin Hegedüs <ai...@gm...> wrote:
>> >
>> >> Hi Monan,
>> >>
>> >>
>> >> On Sat, Apr 05, 2025 at 04:02:09PM -0400, Monah Baki wrote:
>> >> >
>> >> > ls /usr/local/etc/modsecurity/owasp-modsecurity-crs
>> >> > crs-setup.conf
>> >>
>> >> as Christian wrote this is very strange.
>> >>
>> >> Anyway,
>> >>
>> >> are you sure your engine use this file?
>> >>
>> >> > cat /usr/local/etc/apache24/modules.d/280_mod_security.conf
>> >>
>> >> could you replace this line:
>> >>
>> >> > IncludeOptional
>> >> /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf
>> >>
>> >> by this one:
>> >>
>> >> Include /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf
>> >>
>> >> so just remote the "Optional" string.
>> >>
>> >> And could you show us the output of this command?
>> >>
>> >> grep -A12 900990
>> >> /usr/local/etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf
>> >>
>> >>
>> >> Thanks,
>> >>
>> >>
>> >> a.
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> mod-security-users mailing list
>> >> mod...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> >> http://www.modsecurity.org/projects/commercial/rules/
>> >> http://www.modsecurity.org/projects/commercial/support/
>> >>
>>
>>
>>
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
