816648 – SecRequestBodyLimit settings

Bug 816648 - SecRequestBodyLimit settings

Summary: SecRequestBodyLimit settings

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	mod_security
Sub Component:
Version:	el5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Othman Madjoudj
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-26 15:37 UTC by Barry Von Ahsen
Modified:	2013-03-30 16:21 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-30 16:21:51 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Barry Von Ahsen 2012-04-26 15:37:05 UTC

Description of problem:
it appears that SecRequestBodyLimit uses the wrong units, the mod_security documentation states the default is 131072 KB, but the RPM seems to be set at 131072 B
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/modsecurity2-apache-reference.html#N10878

Version-Release number of selected component (if applicable):
mod_security-2.5.12-3.el5
httpd-2.2.3-63.el5_8.1


How reproducible:
do not alter mod_security defaults, attempt to submit form or upload image > 128kb

Steps to Reproduce:
1. do not alter mod_security defaults, attempt to submit form or upload image > 128kb, 413 error
2. update modsecurity_localrules.conf: SecRequestBodyLimit 8192000
3. successful upload
  
Actual results:
413: Request Entity Too Large or Internet Explorer Cannot open page error
Request body (Content-Length) is larger than the configured limit (131072)

Expected results:
200: OK

Additional info:

error_log:
[Wed Apr 25 16:12:19 2012] [error] [client x.x.x.x] ModSecurity: Request body (Content-Length) is larger than the configured limit (131072). [hostname "site.domain.com"] [uri "/admin/banner_edit.php"] [unique_id "U57nT8CoAisAAHDpH78AAAAE"]

modsec_audit:
--cb2a8e68-A--
[25/Apr/2012:16:12:19 --0500] U57nT8CoAisAAHDpH78AAAAE x.x.x.x 38808 y.y.y.y 80
--cb2a8e68-B--
POST /admin/banner_edit.php HTTP/1.0
Host: site.domain.com
Content-Length: 245046
Origin: http://site.domain.com
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHySJ12eVrqcnoLjq
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://site.domain.com/admin/banner_edit.php?type=type
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=87ac9f7-1350c6b6449-47ae7c19-193; __utma=97994624.1621275359.1320701487.1335379177.1335381370.97; __utmc=97994624; __utmz=97994624.1334755122.91.4.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); IS3_GSV=DPL-0_TES-1335385485_PCT-1335385485_GeoIP-*_GeoCo-_GeoRg-_GeoCt-_GeoNs-_GeoDm-; __utma=185507454.1952222390.1334851061.1335295829.1335385485.14; __utmc=185507454; __utmz=185507454.1334851061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); IS3_History=1328016809-8-40_3--8+13--8+32--8+49--8__3-13-32-49_3-13-32-49; s_pers=%20s_vnum%3D1335416400541%2526vn%253D1%7C1335416400541%3B%20s_cpmcvp%3D%255B%255B'Other%252520Referrers-site.domain.com'%252C'1335295828634'%255D%252C%255B'Other%252520Referrers-client.domain.com'%252C'1335297466459'%255D%252C%255B'Other%252520Referrers-site.domain.com'%252C'1335385489756'%255D%252C%255B'Other%252520Referrers-client.domain.com'%252C'1335386737459'%255D%252C%255B'Other%252520Referrers-site.domain.com'%252C'1335387953657'%255D%255D%7C1493154353657%3B%20s_evar54%3D0%7C1335474354741%3B%20s_visit%3D1%7C1335389756065%3B%20gpv_pageName%3Dncc%252Fhttp%253A%252F%252Fsite.domain.com%252Fga%252Fatlanta%252Fqfece%252F%7C1335389756068%3B%20s_nr%3D1335387956076-Repeat%7C1366923956076%3B%20s_invisit%3Dtrue%7C1335389756083%3B; s_sess=%20s_ria%3Dflash%252011%257C%3B%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_cm%3DOther%2520Natural%2520Referrersundefinedsite.domain.com%3B%20s_cpc%3D0%3B%20s_sq%3D%3B; PHPSESSID=95cceagm8jc98n0g7soso0v4i0
Via: 1.1 cudawf.domain.com:8080 (http_scan/4.0.2.6.19)
CUDA_CLIIP: z.z.z.z
Cache-Control: max-age=0
Connection: keep-alive

--cb2a8e68-F--
HTTP/1.1 413 Request Entity Too Large
Content-Length: 438
Connection: close
Content-Type: text/html; charset=iso-8859-1

--cb2a8e68-H--
Message: Request body (Content-Length) is larger than the configured limit (131072).
Stopwatch: 1335388339627855 1774 (- - -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5.
Server: Apache/2.2.3 (Red Hat)

--cb2a8e68-Z--


httpd.conf:
LimitRequestBody 8192000

# grep _max /etc/php.ini
log_errors_max_len = 1024
post_max_size = 8M
upload_max_filesize = 2M


# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
# rpm -qa | grep "http\|mod_sec"
mod_security-2.5.12-3.el5
httpd-2.2.3-63.el5_8.1


fix:
/etc/httpd/modsecurity.d/modsecurity_localrules.conf:
SecRequestBodyLimit 8192000

Comment 1 Barry Von Ahsen 2012-04-26 16:03:19 UTC

the image being uploaded was a 238KB PNG

Comment 2 Othman Madjoudj 2012-09-08 22:32:15 UTC

Can check if this issue is still reproducible with the latest mod_security and mod_security_crs from epel-testing.

Note You need to log in before you can comment on or make changes to this bug.