[ https://www.modsecurity.org/tracker/browse/MODSEC-374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto resolved MODSEC-374.
--------------------------------------
Resolution: Fixed
Hello Andreas,
I tested the new trunk and it looks like fixed. I'm just seeing a Permission denied msg that must be fixed. However no more seg faults.
let me know if you can test and give me a feddback.
Thanks
Breno
> Nginx worker process segfault when using SecAuditEngine
> -------------------------------------------------------
>
> Key: MODSEC-374
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-374
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Logging
> Environment: Debian Linux 6, Nginx 1.3.8, mod_security from trunk (07.01.2013)
> Reporter: Andreas Jaggi
> Assignee: Breno Silva Pinto
> Labels: nginx
> Fix For: 2.7.3
>
>
> When having SecAuditEngine set to On or RelevantOnly, everytime a ModSec rule (I'm using OWASP CRS rules) matches, the nginx worker segfaults and does not write to SecAuditLog (I have SecAuditLogType set to Serial), the request is properly handled though and the ModSec debuglog shows the matched CRS rule.
> Logfiles:
> ==> /var/log/nginx/error.log <==
> 2013/01/08 14:24:33 [info] 7558#0: [client 213.156.230.133] ModSecurity: Warning. Pattern match "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2 ..." at ARGS:foo. [file "/etc/nginx/mod_security.rpx.real.jaggi.info.conf.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select from found within ARGS:foo: select from"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "standalone"] [uri "/ip/?foo=select%20from"] [unique_id "12345"]
> ==> /var/log/nginx/rpx.real.jaggi.info-ip.access.log <==
> 213.156.230.133 - - [08/Jan/2013:14:24:33 +0100] "GET /ip/?foo=select%20from HTTP/1.1" 200 27 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5" 0.038
> ==> /var/log/nginx/error.log <==
> 2013/01/08 14:24:33 [alert] 7554#0: worker process 7558 exited on signal 11
> ModSec Debug Log:
> [08/Jan/2013:14:24:33 +0100] [standalone/sid#19d3470][rid#22e8db0][/ip/?foo=select%20from][2] Warning. Pattern match "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2 ..." at ARGS:foo. [file "/etc/nginx/mod_security.rpx.real.jaggi.info.conf.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select from found within ARGS:foo: select from"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
