Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule 920440 from OWASP CRS v3.0.0 does not block a request in libmodsecurity #1272

Closed
defanator opened this issue Nov 24, 2016 · 2 comments
Closed

Rule 920440 from OWASP CRS v3.0.0 does not block a request in libmodsecurity #1272

defanator opened this issue Nov 24, 2016 · 2 comments
Assignees
@zimmerle
Labels
RIP - libmodsecurity

Comments

@defanator
Copy link
Contributor

defanator commented Nov 24, 2016
edited

Configuration 1: nginx/1.11.5, libmodsecurity: head of v3/master, modsecurity-nginx: head of master
Configuration 2: apache/2.4.18, ModSecurity 2.9.0

Both configurations have been set up to proxy all requests to the http://nginx.org site, with modsecurity turned on with default configuration, and OWASP CRS v3.0.0 configured in the default "anomaly scoring" mode.

For the same request,

 curl -i http://localhost//keys/nginx_signing.key

ModSecurity 2.9 blocks the request, libmodsecurity does not block.

Debug log excerpts are here:
https://gist.github.com/defanator/cdec2cbe3a7eaf5952246700b96e8c9a
@zimmerle zimmerle self-assigned this Nov 29, 2016
@zimmerle
Copy link
Contributor

Hi @defanator,

Thank you for your report. Patch for that is running into QA at this very moment, should be fixed in the upcoming minutes.

@zimmerle
Copy link
Contributor

As of: e6b5801 the rule is working like expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

Labels
RIP - libmodsecurity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zimmerle @defanator