We have a customer that has a mobile application. Everything was working fine until we deployed mod_secuirty with Atomicorp rules. the audit log is as follows:
---
--d240b57d-B--
POST /servlet/put HTTP/1.1
User-Agent: Profile/MIDP-1.0 Configuration/CLDC-1.0 UNTRUSTED/1.0
Content-Type: multipart/form-data; boundary=hmConsultants
Host: xxxxxxxxxx.org
Transfer-Encoding: chunked
Connection: Keep-Alive
--d240b57d-I--
dir=baghdad
--d240b57d-F--
HTTP/1.1 403 Forbidden
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1
--d240b57d-H--
Message: Access denied with code 403 (phase 2). Match of "rx ^$" against "REQUEST_HEADERS:Transfer-Encoding" required. [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "57"] [id "340001"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Dis-allowed Transfer Encoding - modsecurity does not support this encoding and can not detect attacks using it, therefore it must be blocked."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: jakarta-servlet
Stopwatch: 1312096261909606 174844 (174338* 174534 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache
--d240b57d-Z--
---
The customer reports they have tried a multitude of encoding mechanisms after seeing this in their logs, but cannot seem to get around it. Any thoughts? Could it be that "boundary" variable in the content-type?
Thx.
10_asl_rules blocking mobile Java requests
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 10_asl_rules blocking mobile Java requests
If you are using modsecurity 2.6, you can disable this rule.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 10_asl_rules blocking mobile Java requests
We are using "mod_security-2.5.13-1.el5.art" from your site.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 10_asl_rules blocking mobile Java requests
You're a little behind and need to upgrade. 2.6.1 has been available in atomic channel for at least a week, so make sure you upgrade.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 10_asl_rules blocking mobile Java requests
Thanks. Done.
Just waiting to hear back from that customer to see if it fixed their issue.
Out of curiosity, why does 2.6 allow that rule to be disabled?
Thx.
Just waiting to hear back from that customer to see if it fixed their issue.
Out of curiosity, why does 2.6 allow that rule to be disabled?
Thx.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 10_asl_rules blocking mobile Java requests
That encoding type is supported.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 10_asl_rules blocking mobile Java requests
That did get that portion through (thanks), but now he's failing on:
---
msg "Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header"
---
This is a mobile MIDP Java application connecting, and no matter what he tries, he cannot get it to send a Content-Length header. He spent all night trying to do it.
---
msg "Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header"
---
This is a mobile MIDP Java application connecting, and no matter what he tries, he cannot get it to send a Content-Length header. He spent all night trying to do it.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 10_asl_rules blocking mobile Java requests
We need a little more detail, could you follow the process at the link below to provide the audit event for this:
https://www.atomicorp.com/wiki/index.ph ... _Positives
https://www.atomicorp.com/wiki/index.ph ... _Positives
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone