problem with my regex and single line HTML comment in RESPONSE_BODY

Hi,

I'm having a problem with a regex.

I want to prevent content in an HTTP response being returned as in:
<!--
	TODO admin:adminpw
  -->

My regular expression:
<!--[ \r\n\t]*(.?)*(Admin|admin|administrator|pwd|password)(.*)[ \r\n\t]* -->

works both in Regex Coach and Expresso 3.0 and on variations such as:
    <!--
	Use Admin to regenerate database
  -->

which is what I want.

To try to make a long story short - without a bunch of debug stuff -
it works as designed on the 'bad' pages with multiline HTML comments
like above but when it processes a page with any HTML comment on one
line (e.g. <!-- Stop Instructions -->) it chokes and stops processing
the page.

My rule:
SecRule RESPONSE_BODY "<!--[
\r\n\t]*(.?)*(Admin|admin|administrator|pwd|password)(.*)[ \r\n\t]*
-->"
"phase:4,ctl:auditLogParts=+E,log,deny,status:501,auditlog,msg:'HTML
comment source code
leakage',id:'8',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"

Adding 'capture' to the rule as in "phase:4,capture,ctl..." gets rid
of the debug message "Ignoring regex captures since "capture" action
is not enabled." but the result is the exact same.

I also use "SecCacheTransformations=Off" so that transformations
aren't being cached.

The end of the debug log file shows (with some sanitation):

[26/Jun/2008:19:36:29 +0800]
[192.168.0.5/sid#82100e0][rid#8424118][/xxx][4] Starting phase
RESPONSE_BODY.
[26/Jun/2008:19:36:29 +0800]
[192.168.0.5/sid#82100e0][rid#8424118][/xxx][9] This phase consists of
5 rule(s).
[26/Jun/2008:19:36:29 +0800]
[192.168.0.5/sid#82100e0][rid#8424118][/xxx][4] Recipe: Invoking rule
80c3c28; [file "/etc/modsecurity/rulefile_fail-open-auth2.conf"] [line
"268"] [id "8"].
[26/Jun/2008:19:36:29 +0800]
[192.168.0.5/sid#82100e0][rid#8424118][/xxx][5] Rule 80c3c28: SecRule
"RESPONSE_BODY" "@rx <!--[
\\r\\n\\t]*(.?)*(Admin|admin|administrator|pwd|password)(.*)[
\\r\\n\\t]* -->"
"phase:4,capture,ctl:auditLogParts=+E,log,deny,status:501,auditlog,msg:'HTML
comment source code leakage',id:8,tag:LEAKAGE/SOURCE_CODE,severity:4"
[26/Jun/2008:19:36:29 +0800]
[192.168.0.5/sid#82100e0][rid#8424118][/xxx][4] Transformation
completed in 4 usec.
[26/Jun/2008:19:36:29 +0800]
[192.168.0.5/sid#82100e0][rid#8424118][/xxx][4] Executing operator
"rx" with param "<!--[
\\r\\n\\t]*(.?)*(Admin|admin|administrator|pwd|password)(.*)[
\\r\\n\\t]* -->" against RESPONSE_BODY.
[26/Jun/2008:19:36:29 +0800]
[192.168.0.5/sid#82100e0][rid#8424118][/xxx][9] Target value:
"\r\n\r\n\r\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r\n\r\n<html
xmlns="http://www.w3.org/1999/xhtml">\r\n<head>\r\n<meta
http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"
/>\r\n<title>Sample Page</title>\r\n<link rel="stylesheet"
href="css/draw.css" type="text/css" />\r\n<link rel="stylesheet"
href="css/page1.css" type="text/css" />\r\n<link rel="stylesheet"
href="css/menu.css" type="text/css" />\r\n<link rel="stylesheet"
href="css/layers.css" type="text/css" />\r\n<script
language="JavaScript1.2" src="javascript/javascript.js"
type="text/javascript"></script>\r\n<script language="JavaScript1.2"
src="javascript/menu_system.js"
type="text/javascript"></script>\r\n<script language="JavaScript1.2"
src="javascript/pageNav.js"
type="text/javascript"></script>\r\n<script language="JavaScript1.2"
src="javascript/makeWindow.js"
type="text/javascript"></script>\r\n<script language="Java

And it stops there. This page below the output contains an HTML
comment: <!-- Stop Instructions -->

I even added 'Instructions' to the rule to see if a one line HTML
comment with a match worked, but it doesn't. Same result.

Can anybody help? I'm baffled.

I'm using ModSecurity 2.5.1 with Apache 2.2 on Kubuntu 7.10.

Thanks in advance,
Stephen

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php