[Owasp-modsecurity-core-rule-set] "Too many arguments in request in default CRS installation" looks like bug in CRS
Ryan Barnett
ryan.barnett at breach.com
Wed Jul 7 15:58:46 EDT 2010
On Wednesday 07 July 2010 14:33:35 Taras wrote:
> Hi, Ryan!
>
> > On Wednesday 07 July 2010 11:41:43 Taras wrote:
> >> Hi, all!
> >>
> >> Debian 5.0 Lenny, ModSecurity Version: 2.5.11 installed from backports
> >> modsecurity-crs_2.0.7
> >> --------------
> >>
> >> In default installation I have follow error in log when try to access
> >> /index.php?d=11&dfgdfgdg=g
> >>
> >> [Wed Jul 07 19:30:44 2010] [error] [client **.**.**.**] ModSecurity:
> >> Warning. Operator GE matched 0 at TX:inbound_anomaly_score. [file
> >> "/etc/apache2/conf.d/modsecurity_crs/base_rules/modsecurity_crs_60_corre
> >> la tion.conf"] [line "35"] [msg "Inbound Anomaly Score Exceeded (Total
> >> Inbound Score: 5, SQLi=, XSS=): Too many arguments in request"]
> >> [hostname "******.*****.**"] [uri "/index.php"] [unique_id
> >> "TDSdpFf69wEAADdkAA4AAAAA"]
> >>
> >> After that I commented line
> >> SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"
> >> in modsecurity_crs_10_config.conf and it is ok and there is no error in
> >> log.
> >>
> >> How can I correctly limit number of arguments and is there bug in CRS?
> >
> > First issue is to actually confirm that your application legitimately
> > uses more then 255 arguments/parameters in a request. If so, what you
> > should do is to update the tx.max_num_args setting in that line to
> > accommodate the appropriate number.
>
> My webapp in this case is simple *empty* script /index.php.
> Problem is if such line is not commented there is error message in log
> when I try to get /index.php with *some* params.
I think I found a bug in the 23 file. The 2nd rule in the chain should have the & before
the variable as to count the total number of parameter names. Update it to this -
SecRule &TX:ARG_NAME_LENGTH "@eq 1"
"chain,phase:2,t:none,pass,nolog,auditlog,msg:'Argument name too
long',id:'960209',severity:'4',rev:'2.0.6'"
SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}"
"t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.
%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
More information about the Owasp-modsecurity-core-rule-set
mailing list