additional info: it is most likely related to LimitRequestBody doing the same with mod_security gives the custom 413 error page without leak source code, so without knowing the code in case of LimitRequestBody abort the request after error is missing
<IfModule mod_security2.c> <Location "/cms.php"> SecRequestBodyLimit 10 </Location> </IfModule> [Mon Sep 16 14:50:05.710535 2013] [:error] [pid 26658] [client 10.0.0.99] ModSecurity: Request body (Content-Length) is larger than the configured limit (10). Deny with status (413) [hostname "www.test.rh"] [uri "/cms.php"] [unique_id "Ujb@fQoAAGMAAGgiVywAAAAC"] Am 16.09.2013 14:27, schrieb Reindl Harald: > Am 16.09.2013 14:14, schrieb Eric Covener: >> Safe to assume it's a defect, and one we would have been preferred >> reported to secur...@apache.org. Does it only happen when you >> configure a literal string as your errordocument? > > it is *not* the custom ErrorDocument > > i strongly recommend test this behavior against any possible > error-condition with auto-tests > > in fact each time LimitRequestBody is triggered and results > in a 413 error in case of a PHP script "mod_php" is skipped > and the underlying script source added after the error > response - not sure if this also happens with higher values > because the 10 was intented to test the setting at all as > reaction to the follwoing (german) article and should have > become 4096 after successful test > > php is configured this way if it matters: > AddType application/x-httpd-php .php > > please let me know if the is a patch available which i > could add to my RPM-SPEC to test/confirm > > http://www.heise.de/newsticker/meldung/Lange-Passwoerter-legen-Djangos-Webapps-lahm-1957899.html > > Am 16.09.2013 13:56, schrieb Reindl Harald: >> why in the world does Apache add the *sourcode* of the called PHP >> script after the sepcified ErrorDocument? this is a major problem >> and exactly *not* what should happen by a security option >> ________________________________________________ >> >> <Location "/cms.php"> >> LimitRequestBody 10 >> </Location> >> >> ErrorDocument 413 "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 >> Transitional//EN' >> 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 - >> Request Entity Too Large</title><style >> type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; >> font-size:16px;} body {margin:0px; >> padding:15px;}</style></head><body><h1 style='margin-top:0px; >> font-size:18px;'>Error 413</h1><p>Request Entity Too >> Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a >> href='mailto:server-adm...@thelounge.net?subject=Server-Error-413'>server-adm...@thelounge.net</a></p></body></html>" >> ________________________________________________ >> >> OUTPUT TO THE BROWER (stripped, yes it adds the complete PHP sript) >> >> <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' >> 'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 - >> Request Entity Too Large</title><style >> type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; >> font-size:16px;} body {margin:0px; >> padding:15px;}</style></head><body><h1 style='margin-top:0px; >> font-size:18px;'>Error 413</h1><p>Request Entity Too >> Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a >> href='mailto:ad...@rhsoft.net?subject=Server-Error-413'>ad...@rhsoft.net</a></p></body></html><?php >> /** >> CONTENT MANAGMENT SYSTEM / CONTENTLOUNGE >> ------------------------------------------------------------------ >> AENDERUNGEN UND WEITERGABE DIESER DATEI OHNE RUECKSPRACHE MIT DEM >> ENTWICKLER SIND LIZENZRECHTLICH NICHT GESTATTET! >> ---------------------------------------------------
signature.asc
Description: OpenPGP digital signature