Skip to content

ModSecurity status is using the server version informed by SecServerSignature #702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zimmerle opened this issue Apr 16, 2014 · 1 comment
Closed

ModSecurity status is using the server version informed by SecServerSignature #702

zimmerle opened this issue Apr 16, 2014 · 1 comment
Assignees
@zimmerle
Labels
bug It is a confirmed bug Platform - Apache
Milestone
v2.9.0-RC1

Comments

@zimmerle
Copy link
Contributor

If SecServerSignature is used, ModSecurity is sending the signature that was informed instead of the real one. It should send the real data.

[...] mod_security2.c(595): SecServerSignature: Changed server signature to "SpiderServer v0.1a".
[...] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[...] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[...] ModSecurity: PCRE compiled version="8.31 "; loaded version="8.31 2012-07-06"
[...] ModSecurity: LUA compiled version="Lua 5.1"
[...] ModSecurity: LIBXML compiled version="2.9.1"
[...] Original server signature: Apache/2.4.6 (Ubuntu)
[...] ModSecurity: StatusEngine call: "2.8.0,SpiderServer v0.1a,1.4.8/1.4.8,8.31/8.31 2012-07-06,Lua 5.1,2.9.1,798e0416216657906fdb5c17325fa2f7fd29d1f3"
[...] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/

Note: Just affect Apache.

Test case created at: https://github.com/SpiderLabs/ModSecurity/blob/serversignature_status/tests/regression/misc/20-status-engine.pl#L50-L72

Originally reported by: Linas
@zimmerle zimmerle added this to the v2.8.1-RC1 milestone Apr 16, 2014
@zimmerle zimmerle self-assigned this Apr 16, 2014
zimmerle pushed a commit that referenced this issue Nov 4, 2014
Using real server signature on status call
5f470cc 
On Apache platform the server signature can be replaced using the
SecServerSignature directive. Status call was using the signature informed by
this directive instead of using the original one. As reported at #702.
@zimmerle
Copy link
Contributor Author

zimmerle commented Nov 4, 2014

Closed in our branch "master".

@zimmerle zimmerle closed this as completed Nov 4, 2014
zimmerle pushed a commit that referenced this issue Nov 14, 2014
Using real server signature on status call
59a1746 
On Apache platform the server signature can be replaced using the
SecServerSignature directive. Status call was using the signature informed by
this directive instead of using the original one. As reported at #702.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

Labels
bug It is a confirmed bug Platform - Apache
Projects
None yet
Milestone
v2.9.0-RC1
Development

No branches or pull requests
1 participant
@zimmerle