Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

RESPONSE-50-DATA-LEAKAGES-PHP wrong order

See original GitHub issue

_Issue originally created by user emphazer on date 2015-10-12 14:47:19. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/261._

Hello,

Rhel7 / Apache2.4

the httpd demon doesnt start with the following error AH00526: Syntax error on line 24 of /etc/httpd/modsecurity.d/activated_rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf: Error parsing actions: Unknown action:
if you change the rule order like in the other rules it will work. and i found there are some free spaces at the beginning instead of tabs.

-=[ PHP Error Message Leakage ]=-

SecRule RESPONSE_BODY “@pmf php-errors.data”
“phase:response,
rev:‘3’,
ver:‘OWASP_CRS/3.0.0’,
maturity:‘9’,
accuracy:‘9’,
t:none,
capture,
ctl:auditLogParts=+E,
block,
msg:‘PHP Information Leakage’,
logdata:‘Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}’,
id:‘970009’,
tag:‘application-multi’,
tag:‘language-php’,
tag:‘platform-multi’,
tag:‘attack-information disclosure’,
tag:‘OWASP_CRS/LEAKAGE/ERRORS_PHP’,
tag:‘WASCTC/WASC-13’,
tag:‘OWASP_TOP_10/A6’,
tag:‘PCI/6.5.6’,
severity:‘ERROR’,
setvar:‘tx.msg=%{rule.msg}’,
setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},
setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}”`

greetings, chris

Issue Analytics

State:
Created 3 years ago
Comments:5

Top GitHub Comments

1reaction

CRS-migration-botcommented, May 13, 2020

User emphazer commented on date 2016-09-27 13:10:10:

good news we opened a backport patch request for rhel7 httpd 2.4.6 https://bugzilla.redhat.com/show_bug.cgi?id=1378946

looks good. maybe they gonna fix it soon!

0reactions

CRS-migration-botcommented, May 13, 2020

User csanders-git commented on date 2015-10-13 13:38:55:

I understand that you changed the rule such that it made this function properly for you… you could have also added a space before the line continuation and it would have worked. My understanding is this is still the same Apache bug you are trying to fix… It has all to do with how things are added into a buffer within configuration files. If this works for you great, but you’ll understand if we don’t push a patch to the main branch to address an apache issue I assume.