Description
MODSEC-181: ModSecurity is causing certain invalid requests to always be logged as 500 Internal Server Error, even when in DetectionOnly mode.
When a POST request is made to the server and the client disconnects before sending all of the payload (as indicated by the Content-Length header), ModSecurity causes the request to be logged as 500 internal server error and the following is logged into the Apache error log:
[Thu Oct 21 05:35:51 2010] [error] [client xx.xx.xx.xx] ModSecurity: Error reading request body: End of file found [hostname "xx.yy.zz.com"] [uri "/foo/bar"] [unique_id "xx-yy-zz"]
If ModSecurity is disabled (SecRuleEngine Off) this is logged as 200 OK and nothing is reported in the error log. If ModSecurity is enabled even in DetectionOnly mode and SecRequestBodyAccess is on, this request becomes a 500 Internal Server Error. This is a severe issue, since 500 errors are often monitored and cause alarms. This defect means that an attacker can deterministically generate any amount of 500 errors on any server protected by ModSecurity. ModSecurity itself should never generate a 500 error, since that indicates an error in the server, not in the request.
I hunted the source of the error condition to the function read_request_body() in apache2_is.c and function hook_request_late() in mod_security2.c. ModSecurity should handle the APR_EOF error code separately in read_request_body() and return some other return value than -1 (which causes hook_request_late() to generate the 500 error code).
The only workaround seems to be to disable request body scanning, which limits the usefulness of ModSecurity severely.