[ https://www.modsecurity.org/tracker/browse/MODSEC-374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Breno Silva Pinto closed MODSEC-374.
------------------------------------
Resolution: Fixed
Closing this. No feedback, however looks fixed.
> Nginx worker process segfault when using SecAuditEngine
> -------------------------------------------------------
>
> Key: MODSEC-374
> URL: https://www.modsecurity.org/tracker/browse/MODSEC-374
> Project: ModSecurity
> Issue Type: Bug
> Security Level: Normal
> Components: Logging
> Environment: Debian Linux 6, Nginx 1.3.8, mod_security from trunk (07.01.2013)
> Reporter: Andreas Jaggi
> Assignee: Breno Silva Pinto
> Labels: nginx
> Fix For: 2.7.3
>
> Attachments: config.log
>
>
> When having SecAuditEngine set to On or RelevantOnly, everytime a ModSec rule (I'm using OWASP CRS rules) matches, the nginx worker segfaults and does not write to SecAuditLog (I have SecAuditLogType set to Serial), the request is properly handled though and the ModSec debuglog shows the matched CRS rule.
> Logfiles:
> ==> /var/log/nginx/error.log <==
> 2013/01/08 14:24:33 [info] 7558#0: [client 213.156.230.133] ModSecurity: Warning. Pattern match "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2 ..." at ARGS:foo. [file "/etc/nginx/mod_security.rpx.real.jaggi.info.conf.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select from found within ARGS:foo: select from"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "standalone"] [uri "/ip/?foo=select%20from"] [unique_id "12345"]
> ==> /var/log/nginx/rpx.real.jaggi.info-ip.access.log <==
> 213.156.230.133 - - [08/Jan/2013:14:24:33 +0100] "GET /ip/?foo=select%20from HTTP/1.1" 200 27 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5" 0.038
> ==> /var/log/nginx/error.log <==
> 2013/01/08 14:24:33 [alert] 7554#0: worker process 7558 exited on signal 11
> ModSec Debug Log:
> [08/Jan/2013:14:24:33 +0100] [standalone/sid#19d3470][rid#22e8db0][/ip/?foo=select%20from][2] Warning. Pattern match "(?i:(?:union\\s*?(?:all|distinct|[(!@]*?)?\\s*?[([]*?\\s*?select)|(?:\\w+\\s+like\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98])|(?:like\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\%)|(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?like\\W*?[\"'`\xc2\xb4\xe2 ..." at ARGS:foo. [file "/etc/nginx/mod_security.rpx.real.jaggi.info.conf.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "223"] [id "981245"] [msg "Detects basic SQL authentication bypass attempts 2/3"] [data "Matched Data: select from found within ARGS:foo: select from"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
