Warning in error logs - modsecurity? - cannot figure what is triggerin - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Warning in error logs - modsecurity? - cannot figure what is triggerin

Just noticed errors in my logs, I have no comprehension of what they mean a

nigelt74

1:07 am on Aug 1, 2010 (gmt 0)

10+ Year Member

I am getting these

[Sat Jul 31 20:00:01 2010] [error] [client 203.109.218.84] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)" against "RESPONSE_BODY" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "59"] [id "970903"] [msg "ASP/JSP source code leakage"] [severity "WARNING"] [tag "LEAKAGE/SOURCE_CODE"] [hostname "mysite.co.nz"] [uri "/shop/index.php"] [unique_id "w@@Ch38AAAEAADkHKG4AAAAD"]

[Sat Jul 31 20:04:34 2010] [error] [client 77.88.42.27] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)" against "RESPONSE_BODY" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "59"] [id "970903"] [msg "ASP/JSP source code leakage"] [severity "WARNING"] [tag "LEAKAGE/SOURCE_CODE"] [hostname "mysite.co.nz"] [uri "/shop/index.php"] [unique_id "0EuCtX8AAAEAADkYKVwAAAAK"]

From what i understand it is something to do with using reserved words in pages?, which makes very little sense as surely they can account for everyday words, I have checked the forum and there is no dodgy looking code there in the posts

it seems to be only affecting zencart and phpBB, but there again i haven't got through the whole log yet as it seems to be huge

Any help would be appreciated

[edited by: jdMorgan at 3:00 am (utc) on Aug 2, 2010]
[edit reason] Disabled smilies for readability. [/edit]

nigelt74

4:14 am on Aug 1, 2010 (gmt 0)

10+ Year Member

Both of these i have gzip encoding set up on, i'm guessing that may be the cause?

What are these errors actually doing, as in are they blocking people from accessing the site or are they just warnings no one sees but the log

jdMorgan

1:03 pm on Aug 2, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

It seems to be complaining that it got a match on the regular-expressions pattern shown in the log entry while it was scanning the output that your server sent back to the client. Based on that pattern, it 'thinks' that you are sending .asp or .jsp code back to the client, and is warning you that either your .asp or .jsp handler isn't working (incorrectly configured server), or that someone is fetching your source code directly.

However, if you are serving compressed data, then that may in fact be fooling this filter, because the filter is looking at the compressed data, doesn't 'know' it's compressed, and is thinking that it sees uncompressed ASP or JSP code.

So really, the mod_security filter should be disabled for all compressed content. You might be able to have the filter de-compress the data before scanning it, but that would involve an awful lot of extra work, and I have no idea how you'd configure that...

In fact, I just wrote almost everything I know about mod_security here... :)

This is just a warning in your logs, but you *are* wasting CPU time filtering compressed output and logging this warning, so I'd recommend taking action to disable the filter on compressed output.

Jim

Frank_Rizzo

1:32 pm on Aug 2, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

The characters which are triggering this are:

<%

Do you have that on your pages?

You can crank up the debug levels to see more info but the files will be huge if you get a lot of traffic.

---

Is this a default installation of mod security?

outbound filtering can slow your site down a lot and may not actually be needed in some cases.

If you want to turn off all outbound filtering just rem out the line to load it in your mod_security.conf file

# Include modsecurity.d/modsecurity_crs_50_outbound.conf

Or just turn off rule 970903 individually.

You need to consider if you really need outbound filtering and / or that specific rule. I guess if you are not using asp/jsp then you don't need rule 970903

nigelt74

8:42 pm on Aug 2, 2010 (gmt 0)

10+ Year Member

I am on shared hosting, I also don't use asp/jsp so the hosting people have turned off that specific rule