« ModSecurity Advanced Topic of the Week: (Updated) Exception Handling | Main | Detecting Malice with ModSecurity: (Updated) CSRF Attacks »

24 August 2011

Comments

hi
tried the mod security ruleset on apache 2.2 using mod_security 2.5 and am seeing these errors in the error_log. as for the killer script, it still is able to load apache very heavily. so basically, i am seeing no effect with this ruleset..

[Thu Sep 01 15:21:58 2011] [error] [client 10.11.14.22] ModSecurity: Warning. Pattern match "^(.*),$" at TX:0. [file "/etc/httpd/conf.d/00_mod_security.conf"]
[line "9"] [msg "Truncating Large Range Header Field."] [hostname "postfix"] [uri "/"] [unique_id "rErE7woLDhYAAE-sJJUAAAAE"]
[Thu Sep 01 15:21:58 2011] [error] [client 10.11.14.22] ModSecurity: Warning. Pattern match "^(.*),$" at TX:0. [file "/etc/httpd/conf.d/00_mod_security.conf"]
[line "9"] [msg "Truncating Large Range Header Field."] [hostname "postfix"] [uri "/"] [unique_id "rErOswoLDhYAAFG3KsUAAAAI"]
[Thu Sep 01 15:21:58 2011] [error] [client 10.11.14.22] ModSecurity: Warning. Pattern match "^(.*),$" at TX:0. [file "/etc/httpd/conf.d/00_mod_security.conf"]
[line "9"] [msg "Truncating Large Range Header Field."] [hostname "postfix"] [uri "/"] [unique_id "rEq2nQoLDhYAAE-qI8EAAAAC"]
[Thu Sep 01 15:21:58 2011] [error] [client 10.11.14.22] ModSecurity: Warning. Pattern match "^(.*),$" at TX:0. [file "/etc/httpd/conf.d/00_mod_security.conf"]
[line "9"] [msg "Truncating Large Range Header Field."] [hostname "postfix"] [uri "/"] [unique_id "rErnzgoLDhYAAFKzN-sAAAAK"]

Hi,

The first rule only validates the first range that has start and end byte positions. It can be circumvented by adding some valid range before the invalid ranges, e.g.

Range: bytes=0-,5-6,5-0,5-1,5-2,5-3,5-4,...

Still, it's possible to write separate rules that validate the first N ranges, and then separately limit the number of allowed ranges to N.

For the ModSecurity 1.x users out there this might do the trick - assuming they don't really rely on using the range request headers for anything in particular...

# killapache.pl Aug 2011
SecFilterSelective HTTP_Range !(^$|^bytes=0-$)
SecFilterSelective HTTP_Request-Range !(^$|^bytes=0-$)

Supposed to say: We accept range headers only when
- "^$" empty value - or header not present
- value is "bytes=0-"

Whoops, did wrong.

The rule I wrote will block ALL requests due to a little misspelling.

This is the correct:

RewriteEngine On
RewriteCond %{HTTP:range} ^.+$ [NC]
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} ^.+$ [NC]
RewriteRule .* - [F]


note that it is changed to .+ instead of .*, .* means everything, even a unspecified string, but .+ means at least one charachter.

So do the above, it will sucessfully block request containing a Range and Request-Range header.

Another good idea is to completely block range request by filtering the header.

RewriteEngine On
RewriteCond %{HTTP:range} ^.*$ [NC]
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} ^.*$ [NC]
RewriteRule .* - [F]

will block all requests containing a Range header.

Rm4dillo - this blocks other range requests too : we happen to use a flash based uploader (uploadify) which sends a request like this when it's loaded using a version query string (v=4.1) required by IE to render correctly.

Range: bytes=0-
If-Range: Fri, 15 Jul 2011 10:44:34 GMT

That is 403 denied by the configuration suggested in the .htaccess workaround, so the uploader file is never loaded

I've suggested this additional check which allows the "range:0-" request

# Explicitly allow "range:0-" request from Flash uploaded client request
RewriteCond %{HTTP:range} ^bytes=0-$
RewriteRule .* - [L]

# @see http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2
RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]


Regards - Neil Smith

Hi Ryan,

I think that browsers never send HEAD requests with a "Range" header as it's no use (I checked on high traffic servers). Adding a rule that blocks HEAD requests with "Range" header should stop script kiddies.

I also noticed that Apache also accepts "Request-Range" header (that acts just the same as "Range") for compatibility reasons. Yous should probably added it to these rules.

Anyway, thank you for your fast reaction concerning the issue!

Rm4dillo

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment