10_asl_rules blocking mobile Java requests
Posted: Mon Aug 01, 2011 4:30 pm
We have a customer that has a mobile application. Everything was working fine until we deployed mod_secuirty with Atomicorp rules. the audit log is as follows:
---
--d240b57d-B--
POST /servlet/put HTTP/1.1
User-Agent: Profile/MIDP-1.0 Configuration/CLDC-1.0 UNTRUSTED/1.0
Content-Type: multipart/form-data; boundary=hmConsultants
Host: xxxxxxxxxx.org
Transfer-Encoding: chunked
Connection: Keep-Alive
--d240b57d-I--
dir=baghdad
--d240b57d-F--
HTTP/1.1 403 Forbidden
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1
--d240b57d-H--
Message: Access denied with code 403 (phase 2). Match of "rx ^$" against "REQUEST_HEADERS:Transfer-Encoding" required. [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "57"] [id "340001"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Dis-allowed Transfer Encoding - modsecurity does not support this encoding and can not detect attacks using it, therefore it must be blocked."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: jakarta-servlet
Stopwatch: 1312096261909606 174844 (174338* 174534 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache
--d240b57d-Z--
---
The customer reports they have tried a multitude of encoding mechanisms after seeing this in their logs, but cannot seem to get around it. Any thoughts? Could it be that "boundary" variable in the content-type?
Thx.
---
--d240b57d-B--
POST /servlet/put HTTP/1.1
User-Agent: Profile/MIDP-1.0 Configuration/CLDC-1.0 UNTRUSTED/1.0
Content-Type: multipart/form-data; boundary=hmConsultants
Host: xxxxxxxxxx.org
Transfer-Encoding: chunked
Connection: Keep-Alive
--d240b57d-I--
dir=baghdad
--d240b57d-F--
HTTP/1.1 403 Forbidden
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1
--d240b57d-H--
Message: Access denied with code 403 (phase 2). Match of "rx ^$" against "REQUEST_HEADERS:Transfer-Encoding" required. [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "57"] [id "340001"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Dis-allowed Transfer Encoding - modsecurity does not support this encoding and can not detect attacks using it, therefore it must be blocked."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: jakarta-servlet
Stopwatch: 1312096261909606 174844 (174338* 174534 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache
--d240b57d-Z--
---
The customer reports they have tried a multitude of encoding mechanisms after seeing this in their logs, but cannot seem to get around it. Any thoughts? Could it be that "boundary" variable in the content-type?
Thx.