ModSecurity 2.8.0 + Apache 2.4 - Phase 3,4 missing with internal redirects

Created on 18 Jan 2018  路  6Comments  路  Source: SpiderLabs/ModSecurity

Hi There!

I don't know it is intentional or it is a bug but if the request path and the response path(internal redirect) doesn't match, the phase 3 and 4 is missing in the process. That means the inspection of response body is not possible.
I'd like to know that is it something that is not possible in this version?

Thanks.

2.x Platform - Apache RIP - Type - Usage

Most helpful comment

It seems that it doesn't work even on the 2.9.3. These are my current environment versions:
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/).
Server: Apache/2.4.37 (Amazon) OpenSSL/1.0.2k-fips PHP/5.6.39

I'm interested in logging phase (audit) of response body.

If you request an url like domain.org/index.php final lines of modsec_debug.log are similar to:

[rid#5629af784a50][/index.php][4] Initialising logging.
[rid#5629af784a50][/index.php][4] Starting phase LOGGING.
[rid#5629af784a50][/index.php][9] This phase consists of 0 rule(s).
[rid#5629af784a50][/index.php][4] Recording persistent data took 0 microseconds.
[rid#5629af784a50][/index.php][4] Audit log: Logging this transaction.

and modsec_audit.log is:

[...]
--2734e970-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.39
Content-Length: 46
Content-Type: text/html; charset=UTF-8

--2734e970-E--
<html><body><p>Hello world!</p></body></html>

--2734e970-H--
Apache-Handler: application/x-httpd-php
[...]

Let's say you have a typical rewrite rule like
RewriteRule .* index.php [L]
(as in Magento, Wordpress, etc.)
and now request an url like domain.org/default
final lines of modsec_debug.log are almost the same:

```
[/default][4] Initialising logging.
[rid#5629af832478][/index.php][4] Starting phase LOGGING.
[rid#5629af832478][/index.php][9] This phase consists of 0 rule(s).
[rid#5629af832478][/index.php][4] Recording persistent data took 0 microseconds.
[rid#5629af832478][/index.php][4] Audit log: Logging this transaction.

but modsec_audit.log become:

[...]
--2fd8573f-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.39
Content-Length: 46
Content-Type: text/html; charset=UTF-8

--2fd8573f-H--
Apache-Handler: application/x-httpd-php
[...]
```
where section -E-- is totally disappeared.

Is there any way to log the response body in this case?
Is the behavior in version 3 the same?

All 6 comments

Hi Again,

I'm still wondering whether it is possible to check the response body while using pretty urls or mod_rewrite.

Thanks for any help.

Hi @ITILMaster,

We are going to need further details on yours environment and rules.

I seem to be having a similar issue, I posted to the mailing list:

https://sourceforge.net/p/mod-security/mailman/message/36453758/

Is this also not supported in 2.7.7?

Unfortunately moving to a newer version of isn't possible at the moment, and the highest we'd get to is stock Ubuntu 16.04 LTS (Apache 2.4.18, ModSecurity 2.9.0), due to limitations in our vendor application stack.

Hi @ITILMaster / @adaminato42 ,

According to #185, internal redirects should be working on the current codebase. The supported versions of ModSecurity as of today are 2.9.2 and 3.0.3.

I would suggest first testing the issue with a more current version (i.e. 2.9.2 or cloning from master). If the issue persists on the latest version, let us know and we can reopen the issue and investigate further.

Thanks!

It seems that it doesn't work even on the 2.9.3. These are my current environment versions:
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/).
Server: Apache/2.4.37 (Amazon) OpenSSL/1.0.2k-fips PHP/5.6.39

I'm interested in logging phase (audit) of response body.

If you request an url like domain.org/index.php final lines of modsec_debug.log are similar to:

[rid#5629af784a50][/index.php][4] Initialising logging.
[rid#5629af784a50][/index.php][4] Starting phase LOGGING.
[rid#5629af784a50][/index.php][9] This phase consists of 0 rule(s).
[rid#5629af784a50][/index.php][4] Recording persistent data took 0 microseconds.
[rid#5629af784a50][/index.php][4] Audit log: Logging this transaction.

and modsec_audit.log is:

[...]
--2734e970-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.39
Content-Length: 46
Content-Type: text/html; charset=UTF-8

--2734e970-E--
<html><body><p>Hello world!</p></body></html>

--2734e970-H--
Apache-Handler: application/x-httpd-php
[...]

Let's say you have a typical rewrite rule like
RewriteRule .* index.php [L]
(as in Magento, Wordpress, etc.)
and now request an url like domain.org/default
final lines of modsec_debug.log are almost the same:

```
[/default][4] Initialising logging.
[rid#5629af832478][/index.php][4] Starting phase LOGGING.
[rid#5629af832478][/index.php][9] This phase consists of 0 rule(s).
[rid#5629af832478][/index.php][4] Recording persistent data took 0 microseconds.
[rid#5629af832478][/index.php][4] Audit log: Logging this transaction.

but modsec_audit.log become:

[...]
--2fd8573f-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.39
Content-Length: 46
Content-Type: text/html; charset=UTF-8

--2fd8573f-H--
Apache-Handler: application/x-httpd-php
[...]
```
where section -E-- is totally disappeared.

Is there any way to log the response body in this case?
Is the behavior in version 3 the same?

@vitolo78 You might be hitting a limitation within ModSecurityV2 due to the internal redirect. See #1294.

You can try instead to pull the rewrite block out of the Directory context (note the extra beginning slash required) as suggested at https://github.com/SpiderLabs/ModSecurity/issues/184#issuecomment-26541668.

Was this page helpful?
0 / 5 - 0 ratings