0

I am getting 403 forbidden error when opening a page (just displays a table) in the modsecurity log file i got this info ...

  --3445d837-A--
[29/Jun/2015:15:44:26 +0530] VZEagn8AAQEAACkX5YcAAAAE 49.204.187.140 56574 46.101.60.149 80
--3445d837-B--
GET /admin/recent.php HTTP/1.1
Host: domain.com
Connection: keep-alive
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://domain.com/admin/editclient.php?id=79
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=q5nl1ne2sqce9g8hpedl2mo2s5

--3445d837-F--
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

--3445d837-E--
^_�^H^@^@^@^@^@^@^C�Zms�*^V�^\� ( GOT SOME RANDOM CHUNK LIKE THIS)
--3445d837-H--


Message: Access denied with code 403 (phase 4). Match of "rx (?:\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|gif)|B(?:%p$
Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40$
Action: Intercepted (phase 4)
Apache-Handler: application/x-httpd-php
Stopwatch: 1435572866889709 4340 (- - -)
Stopwatch2: 1435572866889709 4340; combined=1365, p1=212, p2=789, p3=1, p4=296, p5=67, sr=51, sw=0, l=0, gc=0

did i commit any mistake ?

Naga Inquisitive
  • 45
  • 1
  • 8

1 Answers1

0

Would help if you posted the full rule or error - seems to have been cut off.

Having a search in the latest Core Rule Set this rule seems to match rule id 970903 which checks for: 'ASP/JSP source code leakage'

Information leakage is when you give up some information about your system - for example in verbose error messages like stack traces which show details of your environment or code which could be useful for attackers.

If you are not using ASP or JSP (as you seem to be using PHP) then you could turn this rule off by adding this to your ModSecurity config after that rule is defined:

SecRuleRemoveById 970903

However I'm curious why that "Random Chunk" is there. Is it because this response comes from a back end server that gzips it and your Apache is just a Proxy in front of it? If so ModSecurity attempts to read the gzipped response which obviously won't work, and can lead to false positives like this, when random pieces of zipped data looks like code text, so you could just turn off checking of body responses with this config:

SecResponseBodyAccess Off

Note this will effectively disable any "information leakage" rules and any other rules which check the response body.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92