Hide Forgot
Created attachment 552251 [details] HTML form that should trigger problem Description of problem: I have a simple HTML form I will attach. When trying to submit this form the request is always forbidden if the text inside of the <textarea> is more than somewhere in the range of 740 - 907 characters. If it is less than that then the form works correctly. The modsec_audit.log says: --d421a611-H-- Message: Pattern match "^([^;\s]+)" at REQUEST_HEADERS:Content-Type. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_30\ _http_policy.conf"] [line "63"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/x-www-form-\ urlencoded"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_A\ ppSensor/EE2"] [tag "PCI/12.1"] Message: Rule execution error - PCRE limits exceeded (-8): (null). Message: Rule execution error - PCRE limits exceeded (-8): (null). Message: Rule execution error - PCRE limits exceeded (-8): (null). Message: Rule execution error - PCRE limits exceeded (-8): (null). Message: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/htt\ pd/conf.d/mod_security.conf"] [line "93"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] Action: Intercepted (phase 2) Stopwatch: 1326321198117273 21026 (999* 20744 -) Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5. Server: Apache/2.2.15 (Red Hat) --d421a611-Z-- which seems to indicate that I need to raise SecPcreMatchLimit and/or SecPcreMatchLimitRecursion in /etc/httpd/conf.d/mod_security.conf. So I tried changing them from 1000 to 15000000000 and the same problem still happens. I'm no PCRE expert but that doesn't seem to be working right. Version-Release number of selected component (if applicable): mod_security-2.5.12-2.el6.x86_64 How reproducible: always Steps to Reproduce: 1. put attached HTML file in your web server 2. access HTML file in web browser 3. try to submit form in web page Actual results: HTTP 403 error Expected results: web page displays correctly. Additional info:
This issue seems to exist in mod_security-2.5.12-3.el5.i386 as well.
The issue is present also in mod_security 2.5.12-3.el5. Here is the POST request that triggers the bug: POST /ib/servlet HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: localhost Content-Length: 56 svrha=502%2C503%2C495%2C498%2C499-5+kom+-JAM%C4%8CEVINA I also reported this issue to upstream: https://www.modsecurity.org/tracker/browse/MODSEC-309
I got response to upgrade to the newest version. Is it possible to update mod_security to newest version, i.e. 2.6.6?
Can check if this issue is still reproducible with the latest mod_security and mod_security_crs from epel-testing.
I just tried with mod_security-2.6.7-1.el6.x86_64 from epel and the problem does not seem to happen any longer.