Hi Christian and Chaim, other CRS users,
here is my previous e-mail with an issue (with more issues exactly, but this one whis is interesting now) On Thu, Jun 01, 2017 at 08:49:03AM +0200, Christian Folini wrote: > > On Wed, May 31, 2017 at 08:32:03AM +0200, Ervin Hegedüs wrote: > > And there is an another issue with 3.0.2 (but may be that affects > > another versions too). > > > > The request is similar that I detailed in my first post. The > > "extraParams" value (JSON field) is this: ... and you sent me your test: > I was kind of expecting problems with 920270, but probably not as > deep rooted ones as this. But first, I need to be able to reproduce > this, and I can't. > > Here is my curl call taking up your example: > > curl 'localhost/index.html' -d > 'extraParams=%7B%22node%22%3A%223%22%2C%22text%22%3A%22v%C3%A9gs%C5%91%20fejezet%22' > --trace-ascii - > == Info: Trying 127.0.0.1... > == Info: Connected to localhost (127.0.0.1) port 80 (#0) > => Send header, 153 bytes (0x99) ... now the situation is totally same like above, but the server is another, and the web application is an up-to-date RoundCube webmail. The issue is when I'ld like to compose a new mail and I'm using special hungarian characters, Modsecurity denies the request. Here is the curl test: curl "https://roundcube.mydomain.hu/"; -d "_token=0uuYa9sHayQF7AU6s5Kb4XtJeKt6PZak&_task=mail&_action=send&_id=1466771890595f68c41f875&_attachments=&_from=5&_to=airween%40gmail.com&_cc=&_bcc=&_replyto=&_followupto=&_subject=Pr%C3%B3ba+0707+1256&editorSelector=plain&_priority=0&_store_target=Sent&_draft_saveid=&_draft=&_is_html=0&_framed=1&_message=Pr%C3%B3ba+%C3%BCzenet." --trace-ascii - == Info: Hostname was NOT found in DNS cache == Info: Trying 1.2.3.4... == Info: Connected to roundcube.mydomain.hu (1.2.3.4) port 443 (#0) == Info: successfully set certificate verify locations: == Info: CAfile: none CApath: /etc/ssl/certs == Info: SSLv3, TLS handshake, Client hello (1): => Send SSL data, 512 bytes (0x200) 0000: ........rJK..M`4Qg9.)..........r7.....v.0.,.(.$.........k.j.9. ... == Info: SSL certificate verify ok. => Send header, 159 bytes (0x9f) 0000: POST / HTTP/1.1 0011: User-Agent: curl/7.38.0 002a: Host: roundcube.mydomain.hu 004a: Accept: */* 0057: Content-Length: 330 006c: Content-Type: application/x-www-form-urlencoded 009d: => Send data, 330 bytes (0x14a) 0000: _token=0uuYa9sHayQF7AU6s5Kb4XtJeKt6PZak&_task=mail&_action=send& 0040: _id=1466771890595f68c41f875&_attachments=&_from=5&_to=airween%40 0080: gmail.com&_cc=&_bcc=&_replyto=&_followupto=&_subject=Pr%C3%B3ba+ 00c0: 0707+1256&editorSelector=plain&_priority=0&_store_target=Sent&_d 0100: raft_saveid=&_draft=&_is_html=0&_framed=1&_message=Pr%C3%B3ba+%C 0140: 3%BCzenet. == Info: upload completely sent off: 330 out of 330 bytes <= Recv header, 24 bytes (0x18) 0000: HTTP/1.1 403 Forbidden == Info: Server nginx/1.6.2 is not blacklisted <= Recv header, 21 bytes (0x15) 0000: Server: nginx/1.6.2 <= Recv header, 37 bytes (0x25) 0000: Date: Fri, 07 Jul 2017 11:57:13 GMT <= Recv header, 25 bytes (0x19) 0000: Content-Type: text/html <= Recv header, 21 bytes (0x15) 0000: Content-Length: 168 <= Recv header, 24 bytes (0x18) 0000: Connection: keep-alive <= Recv header, 2 bytes (0x2) 0000: <= Recv data, 168 bytes (0xa8) 0000: <html> 0008: <head><title>403 Forbidden</title></head> 0033: <body bgcolor="white"> 004b: <center><h1>403 Forbidden</h1></center> 0074: <hr><center>nginx/1.6.2</center> 0096: </body> 009f: </html> The audit log contains these lines for that request? ModSecurity: Warning. Matched "Operator `ValidadeByteRange' with parameter `1-255' against variable `ARGS:_message' (Value: `Pr\xffffffc3\xffffffb3ba \xffffffc3\xffffffbczenet.' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "488"] [id "920270"] [rev "2"] [msg "Invalid character in request (null character)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [ref "o2,1o3,1v333,16t:urlDecodeUnio2,1o3,1o7,1o8,1v459,15t:urlDecodeUni"] ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `8' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [ref ""] ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `8' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Invalid character in request (null character)'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [ref ""] Note, that when I put the special characters to subject of mail, and the body contains only ascii chars, the rule doesn't triggered: _token=0uuYa9sHayQF7AU6s5Kb4XtJeKt6PZak&_task=mail&_action=send&_id=1061864000595f7c3bc5c2e&_attachments =&_from=5&_to=airween%40gmail.com&_cc=&_bcc=&_replyto=&_followupto=&_subject=Pr%C3%B3ba+mail+0707+1419 &editorSelector=plain&_priority=0&_store_target=Sent&_draft_saveid=&_draft=&_is_html=0&_framed=1&_message=Teszt+uzenet. but the audit log contains a line: ModSecurity: Warning. Matched "Operator `ValidadeByteRange' with parameter `1-255' against variable `ARGS:_subject' (Value: `Pr\xffffffc3\xffffffb3ba mail 0707 1419' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "488"] [id "920270"] [rev "2"] [msg "Invalid character in request (null character)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [ref "o2,1o3,1v857,21t:urlDecodeUni"] What em I missing? Thanks, a. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
