I have encountered a puzzle involving rules 981220 and 981222. The two rules are testing for the presence of a default charset being sent either in the Content-type response header or a meta tag in the response body. The rules themselves inspect the RESPONSE_CONTENT_TYPE (Apache internal area) rather than the Content-type header per se.
In my audit log, I have a case where the Content-type response header is "text/html; charset=utf-8", but the log entry reports that the RESPONSE_CONTENT_TYPE contains on "text/html". This causes the two rules to fire. My question is, why does ModSecurity show a difference betweent the Content-type header and the RESPONSE_CONTENT_TYPE area? Here's a typical audit log entry (identifying data replaced with "***"): --4b594116-A-- [28/Mar/2012:09:02:46 --0600] T3MoFn8AAAEAACg91mkAAADM *** 30254 *** --4b594116-B-- GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1 Connection: close Host: *** Accept: text/html --4b594116-F-- HTTP/1.1 200 OK Last-Modified: Tue, 06 Oct 2009 14:45:37 GMT ETag: "198-4754548896640" Accept-Ranges: bytes Content-Length: 408 Connection: close Content-Type: text/html; charset=utf-8 --4b594116-H-- Message: Warning. Match of "rx (?i:(<meta.*?(content|value)=\"text/html;\\s?charset=|<\\?xml.*?encoding=))" against "RESPONSE_BODY" required. [file "/usr/local/apache/conf/site-conf/modsecurity/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "23"] [id "981220"] [msg "[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "APP_DEFECT/MISCONFIGURATION"] [tag "http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms";] Message: Warning. Match of "rx (<meta.*?(content|value)=\"text/html;\\s?charset=utf-8|<\\?xml.*?encoding=\"utf-8\")" against "RESPONSE_BODY" required. [file "/usr/local/apache/conf/site-conf/modsecurity/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "36"] [id "981222"] [msg "[Watcher Check] The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8";] Stopwatch: 1332946966251284 24295 (- - -) Stopwatch2: 1332946966251284 24295; combined=7754, p1=1161, p2=4497, p3=48, p4=298, p5=1545, sr=344, sw=205, l=0, gc=0 Producer: ModSecurity for Apache/2.6.5 (http://www.modsecurity.org/); core ruleset/2.2.4. Server: Sanitised-Request-Headers: "Authorization". --4b594116-Z-- My setup, in case that helps: Red Hat Enterprise Linux; kernel 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux Apache 2.4.1 ModSecurity 2.6.5 ModSecurity CRS 2.2.4 -- Michael Owens <mike.ow...@state.nm.us> _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
