Page 1 of 1

10_asl_rules blocking mobile Java requests

Posted: Mon Aug 01, 2011 4:30 pm
by rhopek
We have a customer that has a mobile application. Everything was working fine until we deployed mod_secuirty with Atomicorp rules. the audit log is as follows:

---
--d240b57d-B--
POST /servlet/put HTTP/1.1
User-Agent: Profile/MIDP-1.0 Configuration/CLDC-1.0 UNTRUSTED/1.0
Content-Type: multipart/form-data; boundary=hmConsultants
Host: xxxxxxxxxx.org
Transfer-Encoding: chunked
Connection: Keep-Alive

--d240b57d-I--
dir=baghdad
--d240b57d-F--
HTTP/1.1 403 Forbidden
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1

--d240b57d-H--
Message: Access denied with code 403 (phase 2). Match of "rx ^$" against "REQUEST_HEADERS:Transfer-Encoding" required. [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "57"] [id "340001"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Dis-allowed Transfer Encoding - modsecurity does not support this encoding and can not detect attacks using it, therefore it must be blocked."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: jakarta-servlet
Stopwatch: 1312096261909606 174844 (174338* 174534 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache

--d240b57d-Z--
---

The customer reports they have tried a multitude of encoding mechanisms after seeing this in their logs, but cannot seem to get around it. Any thoughts? Could it be that "boundary" variable in the content-type?

Thx.

Re: 10_asl_rules blocking mobile Java requests

Posted: Mon Aug 01, 2011 7:17 pm
by mikeshinn
If you are using modsecurity 2.6, you can disable this rule.

Re: 10_asl_rules blocking mobile Java requests

Posted: Wed Aug 03, 2011 2:29 pm
by rhopek
We are using "mod_security-2.5.13-1.el5.art" from your site.

Re: 10_asl_rules blocking mobile Java requests

Posted: Wed Aug 03, 2011 2:32 pm
by mikeshinn
You're a little behind and need to upgrade. 2.6.1 has been available in atomic channel for at least a week, so make sure you upgrade.

Re: 10_asl_rules blocking mobile Java requests

Posted: Thu Aug 04, 2011 12:08 am
by rhopek
Thanks. Done.

Just waiting to hear back from that customer to see if it fixed their issue.

Out of curiosity, why does 2.6 allow that rule to be disabled?

Thx.

Re: 10_asl_rules blocking mobile Java requests

Posted: Thu Aug 04, 2011 12:41 pm
by mikeshinn
That encoding type is supported.

Re: 10_asl_rules blocking mobile Java requests

Posted: Thu Aug 04, 2011 1:45 pm
by rhopek
That did get that portion through (thanks), but now he's failing on:

---
msg "Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header"
---

This is a mobile MIDP Java application connecting, and no matter what he tries, he cannot get it to send a Content-Length header. He spent all night trying to do it.

Re: 10_asl_rules blocking mobile Java requests

Posted: Thu Aug 04, 2011 2:08 pm
by mikeshinn
We need a little more detail, could you follow the process at the link below to provide the audit event for this:

https://www.atomicorp.com/wiki/index.ph ... _Positives