Skip to content

fix error message #1216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

fix error message #1216

wants to merge 2 commits into from

Conversation

arminabf
Copy link

@arminabf arminabf commented Sep 26, 2016
edited
Loading

info->format contains the error message format but not the actual formatted error message

@arminabf
fix error message
903d8c3 
both info->format and fmt (for versions prio 2.4) contain the error message format but not the actual formatted error message
@arminabf arminabf mentioned this pull request Sep 26, 2016
Closed
@arminabf
Copy link
Author

see reported issue #1073

@arminabf
revert error message assignment for older versions
3cda844 
as errstr is only available since version > 2.2
@dune73
Copy link
Member

dune73 commented Sep 27, 2016

Tried out the patch, but the error is still around. Apache 2.4.23, ModSec 2.9.1,

$> cat apache2/mod_security2.c | grep "= apr_pstrdup(msr->mp, errstr"
    em->message = apr_pstrdup(msr->mp, errstr);

then configured, built and installed as a new module. Loaded correctly and tested with "curl localhost -d "p=/etc/passwd" results in this audit-log:

Message: Warning. Matched phrase "/etc/passwd" at ARGS:test. [file "/apache/conf/owasp-modsecurity-crs-3.0.0-rc1/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "108"] [id "930120"] [rev "4"] [msg "OS File Access Attempt"] [data "Matched Data: /etc/passwd found within ARGS:test: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"]
Message: Warning. Matched phrase "/etc/passwd" at ARGS:test. [file "/apache/conf/owasp-modsecurity-crs-3.0.0-rc1/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "366"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: /etc/passwd found within ARGS:test: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"]
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Error: [file "mod_authz_core.c"] [line 809] [level 7] AH01626: authorization result of %s: %s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s

The error log says:

[2016-09-27 08:18:51.858628] [authz_core:debug] 127.0.0.1:50188 V@oPS38AAQEAAGnc5v4AAAAA AH01626: authorization result of Require all granted: granted
[2016-09-27 08:18:51.858667] [authz_core:debug] 127.0.0.1:50188 V@oPS38AAQEAAGnc5v4AAAAA AH01626: authorization result of <RequireAll>: granted
[2016-09-27 08:18:51.858693] [authz_core:debug] 127.0.0.1:50188 V@oPS38AAQEAAGnc5v4AAAAA AH01626: authorization result of <RequireAny>: granted
[2016-09-27 08:18:51.881568] [-:error] 127.0.0.1:50188 V@oPS38AAQEAAGnc5v4AAAAA [client 127.0.0.1] ModSecurity: Warning. Matched phrase "/etc/passwd" at ARGS:test. [file "/apache/conf/owasp-modsecurity-crs-3.0.0-rc1/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "108"] [id "930120"] [rev "4"] [msg "OS File Access Attempt"] [data "Matched Data: /etc/passwd found within ARGS:test: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "localhost"] [uri "/index.html"] [unique_id "V@oPS38AAQEAAGnc5v4AAAAA"]
[2016-09-27 08:18:51.886975] [-:error] 127.0.0.1:50188 V@oPS38AAQEAAGnc5v4AAAAA [client 127.0.0.1] ModSecurity: Warning. Matched phrase "/etc/passwd" at ARGS:test. [file "/apache/conf/owasp-modsecurity-crs-3.0.0-rc1/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "366"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: /etc/passwd found within ARGS:test: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/index.html"] [unique_id "V@oPS38AAQEAAGnc5v4AAAAA"]

What am I doing wrong?

@arminabf
Copy link
Author

@dune73: I've tried to reproduce your setup and testing

Without patch I see following errors in the audit log

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s

When I apply the patch I get following

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 127.0.13.37] ModSecurity: Warning. Operator EQ matched 0 at TX. [file "/home/arminabf/modsecurity-rules/owasp-crs/3.0.0/REQUEST-901-INITIALIZATION.conf"] [line "56"] [id "901001"] [msg "ModSecurity Core Rules setup file has not been detected. Threat detection and blocking may be nonfunctional. Please ensure to make a copy of the setup template crs-setup.conf.example, and include your crs-setup.conf file in your webserver configuration before including the CRS rules."] [severity "WARNING"] [hostname "host"] [uri "/owasp"] [unique_id "V@u@5QoAAwYAAEOwTukAAAAA"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 127.0.13.37] ModSecurity: Warning. Matched phrase "/etc/passwd" at ARGS:p. [file "/home/arminabf/modsecurity-rules/owasp-crs/3.0.0/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "108"] [id "930120"] [rev "4"] [msg "OS File Access Attempt"] [data "Matched Data: /etc/passwd found within ARGS:p: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "host"] [uri "/owasp"] [unique_id "V@u@5QoAAwYAAEOwTukAAAAA"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 127.0.13.37] ModSecurity: Warning. Matched phrase "/etc/passwd" at ARGS:p. [file "/home/arminabf/modsecurity-rules/owasp-crs/3.0.0/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "366"] [id "932160"] [rev "1"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: /etc/passwd found within ARGS:p: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "host"] [uri "/owasp"] [unique_id "V@u@5QoAAwYAAEOwTukAAAAA"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 127.0.13.37] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/home/arminabf/modsecurity-rules/owasp-crs/3.0.0/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "53"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "host"] [uri "/owasp"] [unique_id "V@u@5QoAAwYAAEOwTukAAAAA"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 127.0.13.37] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/home/arminabf/modsecurity-rules/owasp-crs/3.0.0/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=5,RCE=5,PHPI=0,HTTP=0,SESS=0): Remote Command Execution: Unix Shell Code Found"] [tag "event-correlation"] [hostname "host"] [uri "/owasp"] [unique_id "V@u@5QoAAwYAAEOwTukAAAAA"]
Action: Intercepted (phase 2)

@marcstern
Copy link

works for me also on httpd 2.4.23

@dune73
Copy link
Member

dune73 commented Sep 29, 2016

Hmm. I need to start over from scratch. Thank you guys.

@arminabf
Copy link
Author

arminabf commented Oct 5, 2016

many thanks for testing @marcstern

@zimmerle zimmerle self-assigned this Oct 6, 2016
zimmerle added a commit that referenced this pull request Oct 6, 2016
@zimmerle
Adds information about pull request #1216
8559dd3
@dune73
Copy link
Member

dune73 commented Oct 7, 2016

I still do not know what shit I did when I first tested this, but I have now started over from scratch (hat tip to @zimmerle for the ping) and I can confirm: patch works as advertised. Thank you @arminabf.

@zimmerle
Copy link
Contributor

Thank you @dune73, @marcstern and @arminabf ! Patch is merged.

@zimmerle zimmerle closed this Oct 10, 2016
@arminabf arminabf deleted the patch-1 branch October 10, 2016 18:40
@victorhora victorhora mentioned this pull request Jun 28, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@zimmerle zimmerle

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@arminabf @dune73 @marcstern @zimmerle