[Owasp-modsecurity-core-rule-set] id "970903"] [msg "ASP/JSP source code leakage
Ryan Barnett
ryan.barnett at breach.com
Fri Mar 19 14:13:55 EDT 2010
On Friday 19 March 2010 14:09:16 James McIntyre wrote:
> I am receiving the following messages in modsec_audit. Can anyone point me
> in the direction of determining / deciphering what modsec is identifying
> as a problem ?
>
> Message: Match of "rx
> (?:\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?
> :lv|ws)|varg|cws)\\b|gif)|B(?:%pdf|\\.ra)\\b)" against "RESPONSE_BODY"
> required. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_50_outbound.conf"]
> [line "38"] [id "970903"] [msg "ASP/JSP source code leakage"] [severi ty
> "ERROR"] [tag "LEAKAGE/SOURCE_CODE"]
>
>
> Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
> [line "44"] [msg "Tr ansactional Anomaly Score (score 15): ASP/JSP source
> code leakage"]
>
> system: fedora 12
> apache: 2.2.14-1
> mod_security-2.5.10-2
>
>
> Appreciate any assistance....jim
Rule ID 970903 is looking for the existence of "<%" in response body content as this is
most likely indicative of some server-side code that did not properly execute. The alert
match data is a bit confusing as actually data from the 2nd part of the chained SecRule
which is attempting to exclude common false positive strings. I would look in the
audit_log for this event and see where the "<%" data string is to see if if a false
positive or not.
-Ryan
More information about the Owasp-modsecurity-core-rule-set
mailing list