[Owasp-modsecurity-core-rule-set] "Too many arguments in request in default CRS installation" looks like bug in CRS
Taras
oxdef at oxdef.info
Wed Jul 7 14:33:35 EDT 2010
Hi, Ryan!
> On Wednesday 07 July 2010 11:41:43 Taras wrote:
>> Hi, all!
>>
>> Debian 5.0 Lenny, ModSecurity Version: 2.5.11 installed from backports
>> modsecurity-crs_2.0.7
>> --------------
>>
>> In default installation I have follow error in log when try to access
>> /index.php?d=11&dfgdfgdg=g
>>
>> [Wed Jul 07 19:30:44 2010] [error] [client **.**.**.**] ModSecurity:
>> Warning. Operator GE matched 0 at TX:inbound_anomaly_score. [file
>> "/etc/apache2/conf.d/modsecurity_crs/base_rules/modsecurity_crs_60_correla
>> tion.conf"] [line "35"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
>> Score: 5, SQLi=, XSS=): Too many arguments in request"] [hostname
>> "******.*****.**"] [uri "/index.php"] [unique_id
>> "TDSdpFf69wEAADdkAA4AAAAA"]
>>
>> After that I commented line
>> SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"
>> in modsecurity_crs_10_config.conf and it is ok and there is no error in
>> log.
>>
>> How can I correctly limit number of arguments and is there bug in CRS?
>
> First issue is to actually confirm that your application legitimately uses more then 255
> arguments/parameters in a request. If so, what you should do is to update the
> tx.max_num_args setting in that line to accommodate the appropriate number.
My webapp in this case is simple *empty* script /index.php.
Problem is if such line is not commented there is error message in log
when I try to get /index.php with *some* params.
--
Taras
http://oxdef.info
----
"Software is like sex: it's better when it's free." - Linus Torvalds
More information about the Owasp-modsecurity-core-rule-set
mailing list