store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sat Dec 20, 2014 8:51 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: 10_asl_rules blocking mobile Java requests
Unread postPosted: Mon Aug 01, 2011 4:30 pm 
Offline
Forum User
Forum User

Joined: Mon Jul 25, 2011 5:15 pm
Posts: 7
Location: Atlanta
We have a customer that has a mobile application. Everything was working fine until we deployed mod_secuirty with Atomicorp rules. the audit log is as follows:

---
--d240b57d-B--
POST /servlet/put HTTP/1.1
User-Agent: Profile/MIDP-1.0 Configuration/CLDC-1.0 UNTRUSTED/1.0
Content-Type: multipart/form-data; boundary=hmConsultants
Host: xxxxxxxxxx.org
Transfer-Encoding: chunked
Connection: Keep-Alive

--d240b57d-I--
dir=baghdad
--d240b57d-F--
HTTP/1.1 403 Forbidden
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1

--d240b57d-H--
Message: Access denied with code 403 (phase 2). Match of "rx ^$" against "REQUEST_HEADERS:Transfer-Encoding" required. [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "57"] [id "340001"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Dis-allowed Transfer Encoding - modsecurity does not support this encoding and can not detect attacks using it, therefore it must be blocked."] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Apache-Handler: jakarta-servlet
Stopwatch: 1312096261909606 174844 (174338* 174534 -)
WAF: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); 201001071602.
Server: Apache

--d240b57d-Z--
---

The customer reports they have tried a multitude of encoding mechanisms after seeing this in their logs, but cannot seem to get around it. Any thoughts? Could it be that "boundary" variable in the content-type?

Thx.


Top
 Profile  
 
 Post subject: Re: 10_asl_rules blocking mobile Java requests
Unread postPosted: Mon Aug 01, 2011 7:17 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3680
Location: Chantilly, VA
If you are using modsecurity 2.6, you can disable this rule.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: 10_asl_rules blocking mobile Java requests
Unread postPosted: Wed Aug 03, 2011 2:29 pm 
Offline
Forum User
Forum User

Joined: Mon Jul 25, 2011 5:15 pm
Posts: 7
Location: Atlanta
We are using "mod_security-2.5.13-1.el5.art" from your site.


Top
 Profile  
 
 Post subject: Re: 10_asl_rules blocking mobile Java requests
Unread postPosted: Wed Aug 03, 2011 2:32 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3680
Location: Chantilly, VA
You're a little behind and need to upgrade. 2.6.1 has been available in atomic channel for at least a week, so make sure you upgrade.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: 10_asl_rules blocking mobile Java requests
Unread postPosted: Thu Aug 04, 2011 12:08 am 
Offline
Forum User
Forum User

Joined: Mon Jul 25, 2011 5:15 pm
Posts: 7
Location: Atlanta
Thanks. Done.

Just waiting to hear back from that customer to see if it fixed their issue.

Out of curiosity, why does 2.6 allow that rule to be disabled?

Thx.


Top
 Profile  
 
 Post subject: Re: 10_asl_rules blocking mobile Java requests
Unread postPosted: Thu Aug 04, 2011 12:41 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3680
Location: Chantilly, VA
That encoding type is supported.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: 10_asl_rules blocking mobile Java requests
Unread postPosted: Thu Aug 04, 2011 1:45 pm 
Offline
Forum User
Forum User

Joined: Mon Jul 25, 2011 5:15 pm
Posts: 7
Location: Atlanta
That did get that portion through (thanks), but now he's failing on:

---
msg "Atomicorp.com UNSUPPORTED DELAYED Rules: POST request must have a Content-Length header"
---

This is a mobile MIDP Java application connecting, and no matter what he tries, he cannot get it to send a Content-Length header. He spent all night trying to do it.


Top
 Profile  
 
 Post subject: Re: 10_asl_rules blocking mobile Java requests
Unread postPosted: Thu Aug 04, 2011 2:08 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3680
Location: Chantilly, VA
We need a little more detail, could you follow the process at the link below to provide the audit event for this:

https://www.atomicorp.com/wiki/index.ph ... _Positives

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group