Hi, I'm running Apache 2.2.24 with mod_security 2.7.1 and CRS 2.2.6. I've added a file to whitelist some urls, and to ignore some SQL injection rules which are required for correct operation of our application.
I've noticed a strange issue with rule 960015, the accept header check. If I access a page, such as index.html, on the site using curl from the command line, then everything works correctly, and I receive a 403 response because curl is not setting the accept header. However, if I access the root of the site "/", then I see the correct entry in the error_log (ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS.), but my access log shows a 200 return code, and I receive the page back from the server, despite not setting the request header. To re-iterate, mod_security seems to be working correctly for all pages except the root of the site. Is there something that I'm missing? Why would mod_security still log a 403 error, but not actually block the request? Thanks, Dan Scott _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
