[Owasp-modsecurity-core-rule-set] [JIRA] Resolved: (CORERULES-40) tx.restricted_headers partial string comparison

Ryan Barnett (JIRA) Ryan.Barnett at breach.com
Thu Aug 19 15:55:11 EDT 2010 

     [ https://www.modsecurity.org/tracker/browse/CORERULES-40?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan Barnett resolved CORERULES-40.
-----------------------------------

    Fix Version/s: 2.0.7
       Resolution: Fixed

Fixed the issue by specifying /../ separators around payloads.  Fixed in CRS v.2.0.7

> tx.restricted_headers partial string comparison
> -----------------------------------------------
>
>                 Key: CORERULES-40
>                 URL: https://www.modsecurity.org/tracker/browse/CORERULES-40
>             Project: Core Rules
>          Issue Type: Bug
>      Security Level: Normal
>    Affects Versions: 2.0.6
>         Environment: CRS 2.0.6
> Apache 2.2.15
> ModSecurity 2.5.12
>            Reporter: Colin Watson
>            Assignee: Ryan Barnett
>             Fix For: 2.0.7
>
>
> In modsecurity_crs_10_config.conf, the suggested configuration for tx.restricted_headers is:
> setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if'"
> The header name "Connection" seems to be matched by:
> SecRule REQUEST_HEADERS_NAMES "@within %{tx.restricted_headers}" "phase:2,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" 
> in modsecurity_crs_30_http_policy.conf.  Although tx.restricted_headers could be edited, should the shorter actual header name be matching part of the longer restricted header name or could a more exact match be specified?
> --29000000-B--
> GET / HTTP/1.0
> User-Agent: Mozilla/4.0 (**********)
> Host: ****************
> Connection: Keep-Alive
> --29000000-H--
> Message: String match within "Proxy-Connection Lock-Token Content-Range Translate via if" at REQUEST_HEADERS_NAMES:Connection. [file "*********/base_rules/modsecurity_crs_30_http_policy.conf"] [line "99"] [id "960038"] [msg "HTTP header is restricted by policy"] [data "Connection"] [severity "WARNING"] [tag "POLICY/HEADER_RESTRICTED"] [tag "POLICY/FILES_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/12.1"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/12.1"]

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://www.modsecurity.org/tracker/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the Owasp-modsecurity-core-rule-set mailing list