Description
hi, I installed completely ModSecurity v3.0.2, when I try to visit http://127.0.0.1, I was forbiddened.
in log file, it says:
[Sun Aug 12 20:12:03.300266 2018] [:error] [pid 32207:tid 140515782620928] [client 127.0.0.1:34372] ModSecurity: Warning. Matched "Operator Within' with parameter HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'' against variable REQUEST_PROTOCOL' (Value: HTTP/HTTP/1.1' ) [file "/etc/apache2/modsecurity.d/owasp-crs/available-rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "962"] [id "920430"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/HTTP/1.1"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname "127.0.1.1"] [uri "/"] [unique_id "153412992389.506097"] [ref "v6,13"]
I found that the value was : HTTP/HTTP/1.1 , not HTTP/1.1.
in source code https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/transaction.cc
line 1405, line 1494, m_httpVersion was add by string "HTTP/"
maybe m_httpVersion has prefix "HTTP/" already?
in crs file : crs-setup.conf, I changed the config
SecAction
"id:900230,
phase:1,
nolog,
pass,
t:none,
setvar:'tx.allowed_http_versions=HTTP/HTTP/1.0 HTTP/HTTP/1.1 HTTP/HTTP/2 HTTP/HTTP/2.0'"
It runs well and not forbiddened any more.
is it a bug in transaction.cc?