It looks to me that rule 920350, "Host header is a numeric IP address" (REQUEST-20-PROTOCOL-ENFORCEMENT.conf) will cause a redirect loop when combined with the default "modsecurity_crs_10_setup.conf" action..
SecDefaultAction "phase:1,log,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" SecDefaultAction "phase:2,log,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" request_headers.host will always be the IP address, and the rule therefore will keep firing. 1. Is this the intended action even for this rule? 2. Is there a way to override the action for this (or any specific) rule? It seems like this could really hammer a site unintentionally, especially if you have a browser that isn't catching the redirect or some other script?? -David Angel
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
