coreruleset: Useful information in error.log is overwritten by request data

Description

The debug information provided by Apache error.log is useless and can’t be used to fix False Positives. All the required information in the error stanza is overwritten by data from a file being uploaded.

How to reproduce the misbehavior (-> curl call)

By trying to upload a yaml file using NextCloud Desktop App to a NextCloud server.

Logs

Apache error.log:-

image

modsec_audit.log:-

image

Your Environment

  • CRS version (e.g., v3.3.4): 4.0.0-rc1
  • Paranoia level setting (e.g. PL1) : PL 2
  • ModSecurity version (e.g., 2.9.6): 2.9.6
  • Web Server and version or cloud provider / CDN (e.g., Apache httpd 2.4.54): Apache/2.4.52 (Ubuntu)
  • Operating System and version: Ubuntu 22.04 Server

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted. This is my personal server and I accept the risk from such public exposure through log information.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 16 (16 by maintainers)

Most upvoted comments

I think I found a possible reason why do not see you the other parts, and why overwrites the variable name the other parts of the log.

This is the code part what produces the log:

        if (strlen(pattern) > 252) {
            *error_msg = apr_psprintf(msr->mp, "Pattern match \"%.252s ...\" at %s.",
                    pattern, var->name);
        } ...

As it seems only the pattern is truncated, but the var->name is not.

Based on your log entry (I mean this part: Pattern match "(?:'(?:(?:...)?)')" at ARGS_NAMES:name: sea...) your WAF uses the URLENCODED body processor, because the entry shows there is an argument with name name: sea.... In my case the body processor is empty, see the rule 901340’s output in debug.log:

Executing operator "!rx" with param "(?:URLENCODED|MULTIPART|XML|JSON)" against REQBODY_PROCESSOR.
Target value: ""

And because the variable name is the whole content, which is not truncated, and the rest part will hidden.

Could you turn on your debug.log and check the output of rule 901340?

Furthermore could you show me your relevant part of modsecurity.conf and crs-setup.conf?

Also would be fine to see the verbose output of the curl command (curl -v), especially to see the headers.

A possible workaround (to make an exclusion): based on your line the triggered rule is one of these ones:

With this information, you can try to make an exclusion.

+1
airween on Mar 24, 2023
Read more comments on GitHub
← coreruleset: Synapse windows command injection false positive
coreruleset: WordPress /wp-admin/site-health.php triggers →