Incorrect blocking (false positive)
Mod Security with OWASP's rule set is blocking any page containing <b>WARNING</b>: (case insensitive, colon required). It cites the "RESPONSE-953-DATA-LEAKAGES.conf" file but I can find no reference to it in there.
[07/Sep/2018:11:07:26 +0100] 153631484620.247675 <REMOVED> 65000 <REMOVED> 443
---jDNIYUfC---B--
GET /modsectest/page1c.php HTTP/1.1
Host: <REMOVED>.co.uk
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,en-GB;q=0.8
---jDNIYUfC---D--
---jDNIYUfC---E--
<b>WARNING</b>:\x0d\x0a
---jDNIYUfC---F--
HTTP/1.1 200
Server: nginx/1.15.3
Date: Fri, 07 Sep 2018 10:07:26 GMT
Content-Length: 17
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
---jDNIYUfC---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `php-errors.data' against variable `RESPONSE_BODY' (Value: `<b>WARNING</b>:\x0d\x0a' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "17"] [id "953100"] [rev "3"] [msg "PHP Information Leakage"] [data "Matched Data: <b>Warning</b>: found within RESPONSE_BODY: <b>WARNING</b>:\x0d\x0a"] [severity "3"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-disclosure"] [tag "OWASP_CRS/LEAKAGE/ERRORS_PHP"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "192.168.1.254"] [uri "/modsectest/page1c.php"] [unique_id "153631484620.247675"] [ref "o0,15v443,17"]
ModSecurity: Access denied with code 200 (phase 4). Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "165"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 4)"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "192.168.1.254"] [uri "/modsectest/page1c.php"] [unique_id "153631484620.247675"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/usr/local/owasp-modsecurity-crs-3.0.2/rules/RESPONSE-980-CORRELATION.conf"] [line "67"] [id "980140"] [rev ""] [msg "Outbound Anomaly Score Exceeded (score 4): PHP Information Leakage"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "192.168.1.254"] [uri "/modsectest/page1c.php"] [unique_id "153631484620.247675"] [ref ""]
---jDNIYUfC---I--
---jDNIYUfC---J--
---jDNIYUfC---Z--
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
If I have to guess this is a pretty general anti SQL iinfo leak rule that we'll have to make less general
It could be a good idea to remove <b>Warning</b>: from php-errors.data and replace it with a more strict SecRule? Something like <b>Warning</b>:.+in<b>.+\.php</b>.+on\sline\s<b>[0-9]+</b> ?
@theMiddleBlue I like that idea! I think the on line N piece is always part of the warning (it can also be on line 0), but the middle part might not always contain .php so I'd suggest something like <b>Warning</b>:.+on\sline\s<b>[0-9]+</b>
yep! seems legit. Should we handle others type of errors different than Warning? something like notice, fatal, etc... ? I'm looking for a complete documentation about it, maybe this http://php.net/manual/en/errorfunc.constants.php ?
I think @pmf will use that as literal string not as regex so we will need to remove <b>Warning</b>: from the data file and add a rule with the rx you suggest to make this work and get rid of the false positive.
Yes, unfortunately so.
a little test:
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
$a = ($b-1); // notice
preg_match(false); // warning
nonexistent(); // error
this display the following errors:
<b>Notice</b>: Undefined variable: b in <b>/phperrors/index.php</b> on line <b>5</b><br />
<br />
<b>Warning</b>: preg_match() expects at least 2 parameters, 1 given in <b>/phperrors/index.php</b> on line <b>6</b><br />
<br />
<b>Fatal error</b>: Uncaught Error: Call to undefined function nonexistent() in /phperrors/index.php:7
it seems that on line is not present on "Fatal error". What do you think about something like this?
<b>(?:Notice|Warning|Fatal\serror)</b>:\s.+(?:in\s<b>.+on\sline\s<b>[0-9]+</b>|\sin\s.+:[0-9]+)
uhm... removing <b>Warning</b>: from php-errors.data it seems that all example errors I wrote are already intercepted by 953100...
can anyone suggest others examples? maybe we don't need a new SecRule :)
fixed with #1343
Most helpful comment
@theMiddleBlue I like that idea! I think the
on line Npiece is always part of the warning (it can also beon line 0), but the middle part might not always contain.phpso I'd suggest something like<b>Warning</b>:.+on\sline\s<b>[0-9]+</b>