Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.3.0
Component/s: mod_security_crs
Labels:
None

Fixed in Build:
mod_security_crs-3.3.4-2.el9
Regression:
Yes
Severity:
None
Keywords:

Regression

AssignedTeam:
rhel-stacks-web-servers
Sub-System Group:

ssg_core_services

Internal Target Milestone:
23
Story Points:
None
Blocked:
False
Ready:
False
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/127354
Test Coverage:

Automated

Experience:
Architecture:

x86_64
OS:
Linux

PX Impact Score:
PX Technical Impact:
PX Impact Range:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:
A form data, "会社"(Company in Japanese) is forbade with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs-3.3.0-2.el8.

Version-Release number of selected component (if applicable):
mod_security_crs-3.3.0-2.el8

How reproducible:
Always

Steps to Reproduce:
1. Install mod_security_crs-3.3.0-2.el8 and add "SecStatusEngine On" in /etc/httpd/conf.d/mod_security.conf

~~~ /etc/httpd/conf.d/mod_security.conf
<IfModule mod_security2.c>
SecStatusEngine On
...
~~~

2. Make test form html.
~~~
cat << 'EOF' > /var/www/html/test-form.html
<form method="POST" action="test.html">
<input type="text" name="testdata">
<button>ok</button>
</form>
EOF
echo test > /var/www/html/test.html
~~~

3. Access to http://webserver/test-form.html and input "会社" and push ok button

Sample logs
~~~ /var/log/httpd/error_log
[Thu Jan 13 12:54:56.664005 2022] [:error] [pid 10330:tid 139985315387136] [client 192.168.122.1:45458] [client 192.168.122.1] ModSecurity: Warning. Pattern match "\\\\xbc[^\\\\xbe>]\\\\xbe>|<[^\\\\xbe]\\\\xbe" at ARGS:testdata. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "546"] [id "941310"] [msg "US-ASCII Malformed Encoding XSS Filter - Attack Detected"] [data "Matched Data: \\xbc\\x9a\\xe7\\xa4\\xbe found within ARGS:testdata: \\xe4\\xbc\\x9a\\xe7\\xa4\\xbe"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-tomcat"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "85t1"] [uri "/test.html"] [unique_id "Yd@ikMVXTbaKteJCFrOwugAAAA8"], referer: http://85t1/test-form.html
[Thu Jan 13 12:54:56.664563 2022] [:error] [pid 10330:tid 139985315387136] [client 192.168.122.1:45458] [client 192.168.122.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "85t1"] [uri "/test.html"] [unique_id "Yd@ikMVXTbaKteJCFrOwugAAAA8"], referer: http://85t1/test-form.html
[Thu Jan 13 12:54:56.664852 2022] [:error] [pid 10330:tid 139985315387136] [client 192.168.122.1:45458] [client 192.168.122.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"] [hostname "85t1"] [uri "/test.html"] [unique_id "Yd@ikMVXTbaKteJCFrOwugAAAA8"], referer: http://85t1/test-form.html

~~~ /var/log/httpd/access_log
192.168.122.1 - - [13/Jan/2022:12:54:56 +0900] "POST /test.html HTTP/1.1" 403 199 "http://85t1/test-form.html" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
~~~

Actual results:
A form data, "会社" is forbade with REQUEST-941-APPLICATION-ATTACK-XSS.conf.

Expected results:
A form data, "会社" isn't forbade with REQUEST-941-APPLICATION-ATTACK-XSS.conf.

Additional info:
~~~

echo -e '\xe4\xbc\x9a\xe7\xa4\xbe'
会社
~~~
The Japanese word(Kanji/Chinese character), "会社" means a company , which is often used.

~~~ mod_security_crs-3.3.0-2.el8:
$ cat -n /etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

527 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \xbc[^\xbe>][\xbe>]|<[^\xbe]\xbe" \
528 "id:941310,\
...
~~~

mod_security_crs-3.0.0-5.el8 didn't forbid it.
~~~ mod_security_crs-3.0.0-5.el8:
$ cat -n /etc/httpd/modsecurity.d/activated_rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

706 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:¾|¼).*(?:¾|¼|>)|(?:¾|¼|<).*(?:¾|¼)" \
707 "phase:request,\
708 rev:'2',\
709 ver:'OWASP_CRS/3.0.0',\
710 maturity:'7',\
711 accuracy:'8',\
712 id:941310,\
...
~~~

is duplicated by

RHEL-22991 /CoreOS/httpd/mod_security/bz2040257-false-positive-for-rule-941310 fails on rhel-9.4

Closed

links to

RHBA-2024:127354 mod_security_crs update

mentioned on

Merge request - Resolves: RHEL-16358 - A form data, "会社"(Company in Japanese) is forbade

Assignee:: Lubos Uhliarik

Reporter:: Muneaki Sugaya

Need Info From:: RH Bugzilla Integration

Developer:: Lubos Uhliarik

QA Contact:: Branislav Náter

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2023/11/13 3:20 PM

Updated:: 2024/11/20 10:35 AM

Resolved:: 2024/04/30 10:04 AM

Target end:: 2024/02/05

Release Date:: 2024/04/30

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide