Re: [mod-security-users] Problems Upgrading from 1.8.7 to 1.9.2 with shtml "virtual" includes

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Jeff Taylor wrote:
> I am having issues with one of my sites after upgrading to version 1.9.2 of 
> mod_security.  I did not change my mod_security file at all.  
> The problem:  all "virtual" includes (ie:  <!--#include virtual="/include/
> header.inc" --> )  do not work.  No errors are generated in the html that is 
> exported.  No errors are generated in the apache error log. no errors are logged 
> in the SecAuditLog.  If i disable mod_security for this particular vhost 
> everything works fine. 
> There is no output (with SecFilterDebugLog set to level 9) that contains 
> "header.inc" in it. 
> 
> I am getting this message for "footer.inc" however:  
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][2] Detection phase starting (request 9b64028): "GET /t.php 
> HTTP/1.1"
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488)
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][2] sec_check_access: Filtering off, not an initial request
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][9] sec_insert_filter: Starting
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488)
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][2] scan_pre: Adding output filter
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][3] sec_filter_out: start
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][9] Found msr (9b6a218) in r->main (9bb4488)
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][3] sec_filter_out: Content-Type = "(null)"
> [14/Feb/2006:16:28:02 --0500] [www1domain.domain/sid#9a4b580][rid#9b64028][/
> include/footer.inc][3] sec_filter_out: got 567 bytes, bufused=0, buflen=16384

  Is this all? I would expect more messages here. ModSecurity is reading
  the output of footer.inc here, waiting for the end (EOS). Once that happens
  it is supposed to check the output and forward it further.

  Try disabling output filtering as a workaround. If you have more output
  in the debug log send me that (to my private address), along with your
  complete Apache configuration. I'll try to replicate the problem in my
  setup.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall