1 May 19:42
Re: Mod_Security and Content-Encoding: gzip
Ryan Barnett <Ryan.Barnett <at> Breach.com>
2007-05-01 17:42:06 GMT
2007-05-01 17:42:06 GMT
Very timely... The short answer however is - No, Mod can not handle
compressed/gzipped data. Ofer will be releasing an update to the Core
Rules shortly and there are some updates to address compressed content
(from an alerting perspective).
This is from the CHANGES file -
ModSecurity does not support compressed content at the moment. Thus, the
following rules have been added:
- 960013 - Content-Encoding in request not supported
Any incoming compressed request will be denied
- 960051 - Content-Encoding in response not suppoted
An outgoing compressed response will be logged to alert, but ONLY
ONCE.
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache
--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------
> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Jim Hermann
-
> UUN Hostmaster
> Sent: Tuesday, May 01, 2007 1:32 PM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] Mod_Security and Content-Encoding: gzip
>
>
> Does anyone know if Mod_Security can be configured to handle
> Content-Encoding: gzip?
>
> The default rules evaulate for RESPONSE_BODY for code leakage.
However,
> when
> the Content-Encoding is gzip, the RESPONSE_BODY is all 8-bit
characters
> and
> the mod_security rule does not work correctly.
>
> Here is the modsec_audit.log entry:
>
> --5a7c556c-A--
> [01/May/2007:05:47:21 --0500] U3Yd10VeaLQAACkuhwIAAAAU 66.249.65.146
43002
> 69.94.104.180 80
> --5a7c556c-B--
> GET /modules.php?name=Content&pa=showpage&pid=535 HTTP/1.1
> Host: www.xxx.xxx
> Connection: Keep-alive
> Accept: */*
> From: googlebot(at)googlebot.com
> User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)
> Accept-Encoding: gzip
> If-Modified-Since: Tue, 10 Apr 2007 11:41:45 GMT
>
> --5a7c556c-F--
> HTTP/1.1 200 OK
> X-Powered-By: PHP/5.0.4
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma: no-cache
> Content-Encoding: gzip
> Vary: Accept-Encoding
> Set-Cookie: PHPSESSID=rk9ed4ue5dgsc6nn455arvfkh4; path=/
> Content-Length: 15062
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Content-Type: text/html; charset=ISO-8859-2
> Content-Language: hu
>
> --5a7c556c-E--
> [snip - bunch of 8-bit characters]
>
> --5a7c556c-H--
> Message: Warning. Match of "rx
> (?:\\b(??:i(?:nterplay|hdr|d3)|m(?vi|thd)|(?:e
> x|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|g
> if)|B(?:%pdf|\\.ra)\\b)"
> against "RESPONSE_BODY" required. [id "970902"] [msg "PHP source code
> leakage"] [severity "WARNING"]
> Apache-Handler: cgi-script
> Stopwatch: 1178016440262103 1195644 (14664 15950 1169708)
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity v2.1.1 (Apache 2.x)
> Server: Apache/2.0.54 (Fedora)
>
> --5a7c556c-Z--
> __________________
> Jim Hermann
> Ministering to the Web
> UUism Networks
> www.uuism.net
>
>
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
RSS Feed