Hello Im having some issues with some of my requests being blocked based on extension , I do not have .php or .html on my restricted extensions list. Has anyone come across this before ?
This happens when I run in detection mode by default and turn on blocking using SecRuleUpdateActionById 920440 "deny,ctl:ruleEngine=On" http://localhost /forms.php (works fine) http://localhost /forms.php? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] ) http://localhost /forms.php?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] ) http://localhost /forms.html (works fine) http://localhost /forms.html? (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] ) http://localhost /forms.html?id=0 (blocked by : [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] ) debug logs ------------- [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b6536900; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1031"] [id "920430"] [rev "2"]. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b6536900: SecRule "REQUEST_PROTOCOL" "!@within %{tx.allowed_http_versions}<mailto:!@within%20%25%7btx.allowed_http_versions%7d>" "phase:request,nolog,auditlog,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920430,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A6,tag:PCI/6.5.10,logdata:%{matched_var},setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 0 usec. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "!within" with param "%{tx.allowed_http_versions}" against REQUEST_PROTOCOL. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "HTTP/1.1" [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.allowed_http_versions} to: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 6 usec. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 0. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] No match, not chained -> mode NEXT_RULE. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Recipe: Invoking rule b652be08; [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"]. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][5] Rule b652be08: SecRule "REQUEST_BASENAME" "@rx \\.(.*)$<file:///\\.(.*)$>" "phase:request,nolog,auditlog,chain,capture,t:none,t:urlDecodeUni,t:lowercase,msg:'URL file extension is restricted by policy',severity:CRITICAL,rev:2,ver:OWASP_CRS/3.0.0,maturity:9,accuracy:9,id:920440,logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,setvar:tx.extension=.%{tx.1}/,deny,ctl:ruleEngine=On" [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) urlDecodeUni: "forms.php" [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] T (0) lowercase: "forms.php" [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Transformation completed in 12 usec. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Executing operator "rx" with param "\\.(.*)$<file:///\\.(.*)$>" against REQUEST_BASENAME. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Target value: "forms.php" [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.0: .php [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Added regex subexpression to TX.1: php [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Operator completed in 11 usec. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Setting variable: tx.extension=.%{tx.1}/ [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{tx.1} to: php [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Set variable "tx.extension" to ".php/". [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Ctl: Set ruleEngine to On. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Rule returned 1. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Match, intercepted -> returning. [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][9] Resolved macro %{TX.0} to: .php [08/May/2017:11:27:18 --0500] [localhost/sid#b6968228][rid#b69c8058][/forms.php][4] Access denied with code 403 (phase 2). Pattern match "\\.(.*)$<file:///\\.(.*)$>" at REQUEST_BASENAME. [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".php"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] audit logs ------------ --54296d51-A-- [08/May/2017:11:28:14 --0500] WRCcnn8AAQEAAAt0ypkAAAAE 127.0.0.1 36183 127.0.0.1 80 --54296d51-B-- GET /forms.html? HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive --54296d51-F-- HTTP/1.1 403 Forbidden Content-Length: 286 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --54296d51-H-- Message: Access denied with code 403 (phase 2). [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".html"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Action: Intercepted (phase 2) Stopwatch: 1494260894110924 11283 (- - -) Stopwatch2: 1494260894110924 11283; combined=6030, p1=2122, p2=3429, p3=0, p4=0, p5=479, sr=14, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0. Server: Apache/2.4.7 (Ubuntu) Engine-Mode: "ENABLED" --54296d51-Z-- audit log when in detection mode ( please note this is in case of an extension that is in the list ) --8092f761-A-- [09/May/2017:13:39:38 +0000] WRHGmawSZJUAADb7nuwAAAHN 40.77.167.66 54957 10.176.10.21 4464 --8092f761-B-- GET /activate.com?domainCPC=HCL&legacy=true HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive --8092f761-F-- HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Language: en-US Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Connection: Keep-Alive Transfer-Encoding: chunked --8092f761-H-- Message: String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/modsecurity/modsecurity/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1058"] [id "920440"] [rev "2"] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Handler: proxy-server Stopwatch: 1494337177995510 28864 (- - -) Stopwatch2: 1494337177995510 28864; combined=1228, p1=291, p2=865, p3=1, p4=2, p5=69, sr=32, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0. Server: Apache Engine-Mode: "DETECTION_ONLY" --8092f761-Z-- Thanks Subin Barclaycard www.barclaycardus.com<http://www.barclaycardus.com> This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set