homepage Welcome to WebmasterWorld Guest from 54.211.201.65
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Warning in error logs - modsecurity? - cannot figure what is triggerin
Just noticed errors in my logs, I have no comprehension of what they mean a
nigelt74




msg:4179988
 1:07 am on Aug 1, 2010 (gmt 0)

I am getting these

[Sat Jul 31 20:00:01 2010] [error] [client 203.109.218.84] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)" against "RESPONSE_BODY" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "59"] [id "970903"] [msg "ASP/JSP source code leakage"] [severity "WARNING"] [tag "LEAKAGE/SOURCE_CODE"] [hostname "mysite.co.nz"] [uri "/shop/index.php"] [unique_id "w@@Ch38AAAEAADkHKG4AAAAD"]

[Sat Jul 31 20:04:34 2010] [error] [client 77.88.42.27] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)" against "RESPONSE_BODY" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "59"] [id "970903"] [msg "ASP/JSP source code leakage"] [severity "WARNING"] [tag "LEAKAGE/SOURCE_CODE"] [hostname "mysite.co.nz"] [uri "/shop/index.php"] [unique_id "0EuCtX8AAAEAADkYKVwAAAAK"]


From what i understand it is something to do with using reserved words in pages?, which makes very little sense as surely they can account for everyday words, I have checked the forum and there is no dodgy looking code there in the posts

it seems to be only affecting zencart and phpBB, but there again i haven't got through the whole log yet as it seems to be huge

Any help would be appreciated

[edited by: jdMorgan at 3:00 am (utc) on Aug 2, 2010]
[edit reason] Disabled smilies for readability. [/edit]

 

nigelt74




msg:4180036
 4:14 am on Aug 1, 2010 (gmt 0)

Both of these i have gzip encoding set up on, i'm guessing that may be the cause?

What are these errors actually doing, as in are they blocking people from accessing the site or are they just warnings no one sees but the log

jdMorgan




msg:4180554
 1:03 pm on Aug 2, 2010 (gmt 0)

It seems to be complaining that it got a match on the regular-expressions pattern shown in the log entry while it was scanning the output that your server sent back to the client. Based on that pattern, it 'thinks' that you are sending .asp or .jsp code back to the client, and is warning you that either your .asp or .jsp handler isn't working (incorrectly configured server), or that someone is fetching your source code directly.

However, if you are serving compressed data, then that may in fact be fooling this filter, because the filter is looking at the compressed data, doesn't 'know' it's compressed, and is thinking that it sees uncompressed ASP or JSP code.

So really, the mod_security filter should be disabled for all compressed content. You might be able to have the filter de-compress the data before scanning it, but that would involve an awful lot of extra work, and I have no idea how you'd configure that...

In fact, I just wrote almost everything I know about mod_security here... :)

This is just a warning in your logs, but you *are* wasting CPU time filtering compressed output and logging this warning, so I'd recommend taking action to disable the filter on compressed output.

Jim

Frank_Rizzo




msg:4180572
 1:32 pm on Aug 2, 2010 (gmt 0)

The characters which are triggering this are:

<%

Do you have that on your pages?

You can crank up the debug levels to see more info but the files will be huge if you get a lot of traffic.

---

Is this a default installation of mod security?

outbound filtering can slow your site down a lot and may not actually be needed in some cases.

If you want to turn off all outbound filtering just rem out the line to load it in your mod_security.conf file

# Include modsecurity.d/modsecurity_crs_50_outbound.conf

Or just turn off rule 970903 individually.

You need to consider if you really need outbound filtering and / or that specific rule. I guess if you are not using asp/jsp then you don't need rule 970903

nigelt74




msg:4180786
 8:42 pm on Aug 2, 2010 (gmt 0)

I am on shared hosting, I also don't use asp/jsp so the hosting people have turned off that specific rule

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved