[mod-security-users] False-positive running cgi script

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

ModSecurity version: 1.9.2
Apache version: 1.3.34
OS: Red Hat Enterprise Linux ES release 3 (Taroon Update 7)
Kernel: Linux 2.4.21-40.ELsmp #1 SMP Thu Feb 2 22:22:39 EST 2006 i686 i686 i386 GNU/Linux
Browser: IE 6 and Firefox 1.5.1

Hi folks,

We have a cgi script which works fine except for one function which mod_security blocks when users click on a link sent to their email to approve their mailing list subscription (double opt-in).

The mod_security audit log shows the following:

==5f227777==============================
Request: www.mydomain.com xxx.xxx.xxx.xxx - - [29/Mar/2006:21:48:51 -0500] "GET /cgi-bin/mail.cgi/n/domain.com/user/domain.com/14416046/ HTTP/1.1" 500 538 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" RCtHEtEI6AoAAD7BFCA "-"
Handler: cgi-script
Error: Premature end of script headers: /hsphere/shared/apache/htdocs/cgi-bin/mail.cgi
----------------------------------------
GET /cgi-bin/mail.cgi/n/domain.com/user/domain.com/14416046/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Connection: Keep-Alive
Host: mydomain.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX

HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
--5f227777-- 

Our apache mod_security directive contains the following:

#Mod_Security Global Configuration File

# Enable ModSecurity
# On , Off , DynamicOnly
SecFilterEngine On

# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:500"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Designate a directory for temporary files
# storage. It is a good idea to change the
# value below to a private directory, just as
# an additional measure against race conditions
SecUploadDir /tmp
SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly

# Uncomment below to record responses with unusual statuses
SecAuditLogRelevantStatus ^5
SecAuditLog /var/log/modsec_audit-httpd.log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/modsec_debug-httpd.log

Can anyone point me to where I can look to see what mod_sec rule is causing this issue. We use a number of rules from gotroot. Any help is greatly appreciated.

Thanks,

SW

---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.