Your message dated Sun, 25 Mar 2018 16:59:37 +0200 with message-id <[email protected]> and subject line Not a bug has caused the Debian Bug report #893962, regarding Modsecurity ignores phase 2 rules in Debian Stretch to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 893962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893962 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libapache2-mod-security2 Version: 2.9.1-2 Modsecurity in stretch seems to ignore rules in phase 2. I've defined the following test case: <IfModule security2_module> SecResponseBodyAccess on SecRuleEngine On # Does not work SecRule ARGS "/proc/(.*/)?self/(.*/)?environ" "phase:2,id:1420001,t:none,log,deny" # Works SecRule QUERY_STRING "^-[sdcr].*" "phase:1,id:1420701,t:none,t:urlDecodeUni,t:removeWhitespace,deny,log,msg:'Potential PHP-CGI Exploit Attempt',logdata:%{matched_var}" SecRuleEngine On </IfModule> The rule 1420701 triggers correctly (as shown via curl "http://192.168.178.70/?-s"; ) However the rule 1420001 doesn't trigger (as shown by curl "http://192.168.178.70/?a=/proc/self/environ"; ) On an older Linux (Ubuntu 14.04 with modsecurity 2.7.7-2) both rules work all right, so this (apparently) isn't a case of ARGS not working "by principle" in phase 2. Unfortunately, popular open rule collections such as CRS use phase 2 a lot (... and for instance RFI is not triggered by curl "http://192.168.178.70/?a=http://www.somewhere.com"; when CRS is installed, but it is triggered correctly with CRS on the older Ubuntu) So just changing phase 2 into phase 1 is not an option, as this would require changing half of CRS, and risking breaking something else. Any ideas how to fix this? Thanks, Alain
--- End Message ---
--- Begin Message ---Closing. -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: [email protected] | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
--- End Message ---
