mod_security REQUEST_HEADERS:Referer anomaly/bug

[DraCoola]

Dear LiteSpeed,

I'm using LSWS 5.4.10 (build 4) on Cpanel.
I found if using :

SecRule REQUEST_HEADERS:Referer|ARGS "spam-domains\.com"

Will work.

But if using @pmFromFile operator :

SecRule REQUEST_HEADERS:Referer|ARGS "@pmFromFile spam-domains.txt"

Will not work.

So REQUEST_HEADERS:Referer cannot work if using together with @pmFromFile operator.
But at the same time, using REQUEST_HEADERS:User-Agent works normally together with @pmFromFile operator.

I hope there will be a fix release for this issue.

Thanks!

 

[mistwang]

We need the content of `spam-domains.txt` and the value of `REQUEST_HEADERS:Referer` in the test case,
so, we can try to reproduce the bug.

 

[DraCoola]

Hi George,

The content of 'spam-domains.txt' is any of TLD/SLD domain.
For an example : store\.litespeedtech\.com
So any access to litespeedtech.com which was refered from store.litespeedtech.com will trigger mod_security to deny.

The value or rule is as usual :

SecRule REQUEST_HEADERS:Referer|ARGS "@pmFromFile spam-domains.txt" "log,id:12345,rev:1,severity:2,deny,msg:'Referer Test'"

Thanks!

 

[mistwang]

store\.litespeedtech\.com

pattern match is not regular expression, it does not need to escape "." , so if you did that, it wont match the domain.
You just use string as is.

 

[DraCoola]

Yes you are right, it is worked now.
Thank you so much for helps!