[Owasp-modsecurity-core-rule-set] "Too many arguments in request in default CRS installation" looks like bug in CRS

Taras oxdef at oxdef.info
Mon Jul 12 12:02:57 EDT 2010 

Hi, Ryan!

One more thing:
I looks that also modsecurity is needed to be v2.5.12.
I just has compiled it from sources and it's ok

In CRS config we may see such message:
"...
**MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
operators.  If you have an earlier version, edit the 49/59 files directly to
set the appropriate anomaly score levels.
..."

> > >> 
> > >> Debian 5.0 Lenny, ModSecurity Version: 2.5.11 installed from backports
> > >> modsecurity-crs_2.0.7
> > >> --------------
> > >> 
> > >> In default installation I have follow error in log when try to access
> > >> /index.php?d=11&dfgdfgdg=g
> > >> 
> > >> [Wed Jul 07 19:30:44 2010] [error] [client **.**.**.**] ModSecurity:
> > >> Warning. Operator GE matched 0 at TX:inbound_anomaly_score. [file
> > >> "/etc/apache2/conf.d/modsecurity_crs/base_rules/modsecurity_crs_60_corre
> > >> la tion.conf"] [line "35"] [msg "Inbound Anomaly Score Exceeded (Total
> > >> Inbound Score: 5, SQLi=, XSS=): Too many arguments in request"]
> > >> [hostname "******.*****.**"] [uri "/index.php"] [unique_id
> > >> "TDSdpFf69wEAADdkAA4AAAAA"]
> > >> 
> > >> After that I commented line
> > >> SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"
> > >> in modsecurity_crs_10_config.conf and it is ok and there is no error in
> > >> log.
> > >> 
> > >> How can I correctly limit number of arguments and is there bug in CRS?
> > > 
> > > First issue is to actually confirm that your application legitimately
> > > uses more then 255 arguments/parameters in a request.  If so, what you
> > > should do is to update the tx.max_num_args setting in that line to
> > > accommodate the appropriate number.
> > 
> > My webapp in this case is simple *empty* script /index.php.
> > Problem is if such line is not commented there is error message in log
> > when I try to get /index.php with *some* params.
> 
> I think I found a bug in the 23 file.  The 2nd rule in the chain should have the & before 
> the variable as to count the total number of parameter names.  Update it to this -
> 
> SecRule &TX:ARG_NAME_LENGTH "@eq 1" 
> "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Argument name too 
> long',id:'960209',severity:'4',rev:'2.0.6'"
>         SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" 
> "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.
> %{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
> 


-- 
Taras
http://oxdef.info

More information about the Owasp-modsecurity-core-rule-set mailing list