[Owasp-modsecurity-core-rule-set] "Too many arguments in request in default CRS installation" looks like bug in CRS
Ryan Barnett
ryan.barnett at breach.com
Wed Jul 7 11:47:58 EDT 2010
On Wednesday 07 July 2010 11:41:43 Taras wrote:
> Hi, all!
>
> Debian 5.0 Lenny, ModSecurity Version: 2.5.11 installed from backports
> modsecurity-crs_2.0.7
> --------------
>
> In default installation I have follow error in log when try to access
> /index.php?d=11&dfgdfgdg=g
>
> [Wed Jul 07 19:30:44 2010] [error] [client **.**.**.**] ModSecurity:
> Warning. Operator GE matched 0 at TX:inbound_anomaly_score. [file
> "/etc/apache2/conf.d/modsecurity_crs/base_rules/modsecurity_crs_60_correla
> tion.conf"] [line "35"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
> Score: 5, SQLi=, XSS=): Too many arguments in request"] [hostname
> "******.*****.**"] [uri "/index.php"] [unique_id
> "TDSdpFf69wEAADdkAA4AAAAA"]
>
> After that I commented line
> SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"
> in modsecurity_crs_10_config.conf and it is ok and there is no error in
> log.
>
> How can I correctly limit number of arguments and is there bug in CRS?
First issue is to actually confirm that your application legitimately uses more then 255
arguments/parameters in a request. If so, what you should do is to update the
tx.max_num_args setting in that line to accommodate the appropriate number.
-Ryan
More information about the Owasp-modsecurity-core-rule-set
mailing list