[Resolved] modsecurity bug - can't block traffic when HTTP request header is missing

[c0ldshadow]

using litespeed 4.2.6

The following rule doesn't block requests to test.php which are missing the Accept-Language header:

SecFilterSelective REQUEST_URI "/test\.php" chain
SecFilterSelective HTTP_Accept-Language "^$"

please advise when bug fixed or if there is a work around

 

[mistwang]

replace the second rule with

SecRule &REQUEST_HEADERS:Accept-Language "@eq 0"

You should stop using modsec 1.9 syntax, use >2.0 rule syntax.

 

[c0ldshadow]

Thanks for the quick reply.

I actually already tried the above but it doesn't work either:

SecRule REQUEST_URI "/test\.php" chain
SecRule &REQUEST_HEADERS:Accept-Language "@eq 0"

I have other mod security rules which work fine (e.g. i can see the blocks when tailing the audit logs), but the one above doesn't work

test method is curl http://blah.com/test.php (i can verify the accept-language header isn't set based on the wireshark capture)


i have gracefully restarted litespeed each time i edit the rules

 

[mistwang]

Turn on Sec engine debug logging by changing the debug level to 9
http://www.litespeedtech.com/docs/webserver/config/reqfilter#censorLogLevel

then check the error log.

 

[c0ldshadow]

ok i put those settings on.

rule:

SecRule REQUEST_URI "/deathsgate\.png" chain
SecRule &REQUEST_HEADERS:Accept-Language "@eq 0"

test case:

curl http://securityengineer.pro/deathsgate.png

logs:

2013-12-31 14:03:32.739 [INFO] [10.1.250.210:62537-0#securityengineer.pro] [SECURITY] match [REQUEST_URI] against pattern [/deathsgate\.png], result: 1
2013-12-31 14:03:32.739 [INFO] [10.1.250.210:62537-0#securityengineer.pro] [SECURITY] match [&REQUEST_HEADERS:Accept-Language] against pattern [@eq 0], result: 0

shouldnt the last line say "result: 1" since Accept-Language doesn't appear in this packet, and then the request would be blocked?

 

[c0ldshadow]

hi, just wanted to check if any update on this. still not having any luck getting this to work

thanks for the help troubleshooting

best regards

 

[mistwang]

2013-12-31 14:03:32.739 [INFO] [10.1.250.210:62537-0#securityengineer.pro] [SECURITY] match [&REQUEST_HEADERS:Accept-Language] against pattern [@eq 0], result: 0

shouldnt the last line say "result: 1" since Accept-Language doesn't appear in this packet, and then the request would be blocked?

It should be a bug, we will fix it now.

 

[c0ldshadow]

ok cool thanks a ton for the help. do you have an ETA when the fix will be made?


best regards
-Avery

 

[mistwang]

Please do a force reinstall of 4.2.6, should be fixed now.

 

[c0ldshadow]

thanks, it is fixed

 

[DraCoola]

How to revert to older 4.2.6?
This update bring 403 everywhere anywhere on my servers (using Atomic Ruleset).

[client 202.67.39.21] mod_security: Access denied with code 403, [Rule: 'REQUEST_HEADERS:Content-Length' '!^0$'] [ID "392301"] [Msg "Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header"] [severity "NOTICE"] [MatchedString ""]

I'll revert to 4.2.5

 

[c0ldshadow]

DraCoola, the rule may be working properly. Do you have the logs of the full request to see if content-type was in-fact missing from the header? might just be a rule prone to false positives which suddenly got turned on

 

[DraCoola]

Hi c0ldshadow,

The log which I found on apache/logs/error_log was this :

[ID: 392301] [Msg: Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header]2014-01-03 01:49:04.545 [NOTICE] [xxx.xxx.xxx.xxx:51084-0#APVH_162.213.211.40:443_xxxxxxxx.com] Content len: 0, Request line: 'GET /images/clients.gif HTTP/1.1'

All kind of sites produce the same error massively after update to latest 4.2.6
I have browse those 403 sites with firefox, internet explorer, and chrome

 

[c0ldshadow]

odd

is it possible to increase verbosity of the logs to see the entire HTTP request headers?

in my logs i log entire request

 

[DraCoola]

I can set SecDebugLogLevel to 9
But pardon me that I cannot switch to the newest 4.2.6 right now because all sites inside the servers are currently on their busy hour.
And also, many times of 403 will block visitors from firewall.
So I will try to switch to 4.2.6 latter.
I am now on 4.2.5 *sigh

 

[mistwang]

Please force reinstall 4.2.6 again.
was trying to make

SecRule REQUEST_HEADERS:Accept-Language "^$"

works, but Apache mod_sec treat REQUEST_HEADERS:Content-Length differently, if it does not exist, Apache uses value of "0".

 

[DraCoola]

According to this page : https://www.atomicorp.com/wiki/index.php/WAF_392301

I thought the latest lsws 4.2.6 is suddenly "cannot read" Content-Type?

 

[DraCoola]

Please force reinstall 4.2.6 again.
was trying to make

SecRule REQUEST_HEADERS:Accept-Language "^$"

works, but Apache mod_sec treat REQUEST_HEADERS:Content-Length differently, if it does not exist, Apache uses value of "0".

Hi George, I'll try your 4.2.6 again and bring my update here soon
Thanks!

 

[DraCoola]

Wonderful support, George.
It is now works as the old 4.2.6.
And I hope it also still work for c0ldshadow.
Thank you very much!