ModSecurity causing 500 error codes for invalid requests even in DetectionOnly mode #334
Comments
ghost
assigned 
|
Original reporter: plaa |
|
plaa: Patch that fixes the defect. |
|
plaa: I attached a patch that fixes this defect. It adds the check for APR_EOF in apache2_io.c and returns a different error code for it, and added a check for that error code to mod_security2.c. I chose this to return 400 Bad Request error code in this condition, since that is what it basically is (though the cause may be a time out / client disconnect). You may choose to change the response code and/or logging level. Before having this patch the following command would always produce a 500 error to the Apache access/error logs: |
|
bpinto: Thanks Sampo. Yes, it looks like a bad resquest. I will check it a little bit more. |
|
bpinto: Fixed in 2.6.0. Thanks |
|
i have this internal server error 500 whe, trying to test sql injection with mod security what's the solution |
|
This bug has been reborn, because Apache (at least in RedHat/CentOS) since version 2.2.15-47 returns in same case APR_INCOMPLETE (not APR_EOF). Based on same patch I have added handler for APR_INCOMPLETE. |
…he (at least in RedHat/CentOS) since version 2.2.15-47 returns in same case APR_INCOMPLETE (not APR_EOF). Based on same patch I have added handler for APR_INCOMPLETE.
…he (at least in RedHat/CentOS) since version 2.2.15-47 returns in same case APR_INCOMPLETE (not APR_EOF). Based on same patch I have added handler for APR_INCOMPLETE.
…orn, because Apache (at least in RedHat/CentOS) since version 2.2.15-47 returns in same case APR_INCOMPLETE (not APR_EOF). Based on same patch I have added handler for APR_INCOMPLETE.
…he (at least in RedHat/CentOS) since version 2.2.15-47 returns in same case APR_INCOMPLETE (not APR_EOF). Based on same patch I have added handler for APR_INCOMPLETE.
…orn, because Apache (at least in RedHat/CentOS) since version 2.2.15-47 returns in same case APR_INCOMPLETE (not APR_EOF). Based on same patch I have added handler for APR_INCOMPLETE.
MODSEC-181: ModSecurity is causing certain invalid requests to always be logged as 500 Internal Server Error, even when in DetectionOnly mode.
When a POST request is made to the server and the client disconnects before sending all of the payload (as indicated by the Content-Length header), ModSecurity causes the request to be logged as 500 internal server error and the following is logged into the Apache error log:
[Thu Oct 21 05:35:51 2010] [error] [client xx.xx.xx.xx] ModSecurity: Error reading request body: End of file found [hostname "xx.yy.zz.com"] [uri "/foo/bar"] [unique_id "xx-yy-zz"]
If ModSecurity is disabled (SecRuleEngine Off) this is logged as 200 OK and nothing is reported in the error log. If ModSecurity is enabled even in DetectionOnly mode and SecRequestBodyAccess is on, this request becomes a 500 Internal Server Error. This is a severe issue, since 500 errors are often monitored and cause alarms. This defect means that an attacker can deterministically generate any amount of 500 errors on any server protected by ModSecurity. ModSecurity itself should never generate a 500 error, since that indicates an error in the server, not in the request.
I hunted the source of the error condition to the function read_request_body() in apache2_is.c and function hook_request_late() in mod_security2.c. ModSecurity should handle the APR_EOF error code separately in read_request_body() and return some other return value than -1 (which causes hook_request_late() to generate the 500 error code).
The only workaround seems to be to disable request body scanning, which limits the usefulness of ModSecurity severely.
The text was updated successfully, but these errors were encountered: