Skip to content

Loading…

Rails 2.1.0: mod_security reports a Response Splitting Attack #577

Closed
lighthouse-import opened this Issue · 6 comments

1 participant

@lighthouse-import

Imported from Lighthouse. Original ticket at: http://rails.lighthouseapp.com/projects/8994/tickets/690
Created by Christian Nolte - 2011-02-19 09:28:23 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I use the apache proxy to forward traffic to mongrel. The apache has
mod_security enabled and since I made an update to Rails 2.1.0
mod_security blocks access with the following message:

[24/Jul/2008:16:13:36 +0200]
[myhost/sid#988eef8][rid#a29a550][/myapp/][1] Access denied with code
400 (phase 2). Pattern match "%0[ad]" at REQUEST_HEADERS:Cookie. [id
"950910"] [msg "HTTP Response Spli
tting Attack. Matched signature <%0a>"] [severity "ALERT"]

I don't know what exactly is causing this. I am using
restful_authentication.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIiJUVCNjA0nfhW7wRApu8AKDk9LU37uOpdogLGcnjJM+PG8r+qQCgl48P
VMDMiC0VZpXzAW5OOwyc+LE=
=NIF1
-----END PGP SIGNATURE-----

@lighthouse-import

Imported from Lighthouse.
Comment by Daniel Tsadok - 2008-10-06 22:56:39 UTC

I have the exact same issue - it seems to be related to the way Rails handles its cookies, particularly CRLF's: http://en.wikipedia.org/wiki/HTTP_response_splitting

So could this be a security issue in Rails? The Wikipedia page suggests URL-encoding the cookies...

(I'm not a security expert - I just want to get my app to work with mod_security. What I wrote above is simply what I've gathered from a bit of research)

@lighthouse-import

Imported from Lighthouse.
Comment by Ryan Stenhouse - 2008-10-29 13:42:20 UTC

This issue is still present. For time time being, switching to using the Active Record session store is a viable work around - however something as serious as this does need to be addressed.

Specific issue:

Message: Access denied with code 400 (phase 2). Pattern match "%0[ad]" at REQUEST_HEADERS:Cookie. [id "950910"] [msg "HTTP Response Splitting Attack. Matched signature <%0a>"] [severity "ALERT"]

While the CRs and LFs in the response body are being properly URI-Encoded (%0A), it is still enough to trigger the alert from mod_security. I for one am certainly not going to turn off part of mod_security's protection for my application although I'm sure mod_security could be tweaked to be more lenient for the requests being sent from Apache to Mongrel.

One solution would be to cease using the Cookie Session Store as the default and reverting back to the old database driven approach, especially since this is a security issue (albeit a minor one).

@lighthouse-import

Imported from Lighthouse.
Comment by Pratik - 2009-03-13 11:00:24 UTC

Any idea koz ?

@lighthouse-import

Imported from Lighthouse.
Comment by Ryan Bigg - 2010-04-12 07:55:23 UTC

Koz, any idea?

@lighthouse-import

Imported from Lighthouse.
Comment by Jeremy Kemper - 2010-05-04 17:48:33 UTC

[bulk edit]

@lighthouse-import

Imported from Lighthouse.
Comment by Ryan Bigg - 2010-11-08 01:53:27 UTC

Automatic cleanup of spam.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.