Owasp-modsecurity-crs: Coordinate workaround to persisting ModSec3 bug with URLENCODE body processor

Created on 2 Oct 2018  路  8Comments  路  Source: SpiderLabs/owasp-modsecurity-crs

We need to cover for https://github.com/SpiderLabs/ModSecurity/issues/1797

Here is the plan as discussed in the community chat on slack last night:

  • ModSec has merged a bugfix, but no release so far. We informed ModSec several months ago and lately contacted Joe Hopp via mail.
  • But no sign of a release before we ship 3.1.
  • We are disappointed by ModSecurity, but we also think shipping 3.1 with a known bug when running in ModSec 3.0 is wrong and will hurt CRS and ModSecurity.

The plan is thus

  • Walter will do a new attempt to convince TW of a release.
  • We plan to introduce a condition that skips the rule in question for 3.0.0 - 3.0.2.
  • We will add a remark to KNOWN_BUGS.

UPDATE (dune73): No longer sure this works. Given it's a parser thing, we might fail to load the config despite the condition.

Most helpful comment

@Cryptophobia well sure but don't forget to thank the ModSec development team who are doing the work :P

All 8 comments

URLENCODE: Need to confirm the bad news. It's the parser at startup time.

ModSec nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /tmp/crs-3.1-RC1/rules/REQUEST-901-INITIALIZATION.conf. Line: 289. Column: 119. Expecting an action, got: ctl:requestBodyProcessor=URLENCODED" in /opt/nginx-1.13.12/conf/nginx.conf:21

I've shot a few e-mails to Joe at Trustwave about how the CRS now breaks on newest ModSec 3. So far TW has not committed to a ModSec 3 release.

Thanks @lifeforms.

You can lead a horse to water, you can't make it drink.

That's sad, it is one big hole in a default install, maybe ModSec 3 is for use in servers where clients are well behaved and always stick to RFC's.

ModSecurity 3.0.3 has been released (much thanks @zimmerle :D ) which should resolve this problem!

Thank you for the work in convincing the ModSecurity team for a new release to fix compatibility with the CRS. Really appreciate your work @lifeforms @dune73

@Cryptophobia well sure but don't forget to thank the ModSec development team who are doing the work :P

You are most welcome @Cryptophobia. The biggest benefactor was probably us not being ready for a release far too long so TW was quicker with their planned release.

Was this page helpful?
0 / 5 - 0 ratings