Skip to content

ModSecurity causing 500 error codes for invalid requests even in DetectionOnly mode #334

Closed
@rcbarnett-zz

Description

@rcbarnett-zz

MODSEC-181: ModSecurity is causing certain invalid requests to always be logged as 500 Internal Server Error, even when in DetectionOnly mode.

When a POST request is made to the server and the client disconnects before sending all of the payload (as indicated by the Content-Length header), ModSecurity causes the request to be logged as 500 internal server error and the following is logged into the Apache error log:

[Thu Oct 21 05:35:51 2010] [error] [client xx.xx.xx.xx] ModSecurity: Error reading request body: End of file found [hostname "xx.yy.zz.com"] [uri "/foo/bar"] [unique_id "xx-yy-zz"]

If ModSecurity is disabled (SecRuleEngine Off) this is logged as 200 OK and nothing is reported in the error log. If ModSecurity is enabled even in DetectionOnly mode and SecRequestBodyAccess is on, this request becomes a 500 Internal Server Error. This is a severe issue, since 500 errors are often monitored and cause alarms. This defect means that an attacker can deterministically generate any amount of 500 errors on any server protected by ModSecurity. ModSecurity itself should never generate a 500 error, since that indicates an error in the server, not in the request.

I hunted the source of the error condition to the function read_request_body() in apache2_is.c and function hook_request_late() in mod_security2.c. ModSecurity should handle the APR_EOF error code separately in read_request_body() and return some other return value than -1 (which causes hook_request_late() to generate the 500 error code).

The only workaround seems to be to disable request body scanning, which limits the usefulness of ModSecurity severely.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions