Dear list! Author: Yann Cézard <ycez...@viareport.com> Number of patches: 1
This is an automated relay of the Github pull request: modescurity spoa (contrib) crash if Host header is absent in HTTP request Patch title(s): If host header is NULL, don't try to strdup it. Link: https://github.com/haproxy/haproxy/pull/86 Edit locally: wget https://github.com/haproxy/haproxy/pull/86.patch && vi 86.patch Apply locally: curl https://github.com/haproxy/haproxy/pull/86.patch | git am - Description: I discovered this bug when running OWASP regression tests against HAProxy + modsecurity-spoa (it's a POC to evaluate how it is working). I found out that modsecurity spoa will crash when the request doesn't have any Host header. ## Output of `haproxy -vv` and `uname -a` All HAProxy version / bug is related to the modsecurity spoa (contrib) and present in all versions. ## What's the configuration? Not linked to any specific configuration, just using the modsecurity spoa makes it vulnerable to this bug. ## Steps to reproduce the behavior 1. Install and configure the modsecurity spoa, configure haproxy to check all its request with modsecuirty (cf. https://github.com/haproxy/haproxy/blob/master/contri b/modsecurity/README which by the way have some erronous information in it, I'll made another pull request later). If you don't want to bother with compiling and such, there is a pretty good Docker image there : https://github.com/jcmoraisjr/modsecurity- spoa/blob/master/rootfs/Dockerfile. You'll stil have to configure HAProxy to use it, as explained in the README file. 2. curl -i -H "Host:" http://your.haproxy.domain ## Actual behavior The modsecurity spoa just crash. That could be annoying, even if it is configured to restart by itself (systemd or docker rule to do so), because during the time it gets up again, haproxy would not check the requests againts modsecurity (this could be mitigated by using an HAProxy rule rejecting all HTTP requests with no Host header). That means someone who wants to attack a site protected using HAProxy + modsecurity-spoa could disable modsecurity checks by doing HTTP requests without host, than all subsequent requests would be treated by HAProxy bypassing all modsecurity checks. ## Expected behavior modsecurity does not crash, and if using the OWASP CRS rules, the request is blocked because it is missing the Host header. ## Do you have any idea what may have caused this? This is because in modsec_wrapper.c, at line 328, strlen(req->hostname) will crash because req->hostname is NULL. ## Do you have an idea how to solve the issue? Checking if req->hostname is NULL before trying to do the chunk_strdup. ``` if (req->hostname != NULL) { req->parsed_uri.hostname = chunk_strdup(req, req->hostname, strlen(req->hostname)); } else { req->parsed_uri.hostname = NULL; } ``` I tried that patch, it works fine, no crash, and the query is then correctly intercepted by the modsecuirty / CRS rules : 1556193994.134313 [00] [client 127.0.0.1] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/owasp-modsecurity- crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "605"] [id "920280"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language- multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "c3cfbbe6058a"] [uri "http://www.google.com/../../index.html"] [unique_id ""] This patch could be applyed to any versions of HAProxy proposing the modsecurity contrib. Instructions: This github pull request will be closed automatically; patch should be reviewed on the haproxy mailing list (haproxy@formilux.org). Everyone is invited to comment, even the patch's author. Please keep the author and list CCed in replies. Please note that in absence of any response this pull request will be lost.