Package: libapache2-mod-security2
Version: 2.9.1-2
Modsecurity in stretch seems to ignore rules in phase 2.
I've defined the following test case:
<IfModule security2_module>
SecResponseBodyAccess on
SecRuleEngine On
# Does not work
SecRule ARGS "/proc/(.*/)?self/(.*/)?environ"
"phase:2,id:1420001,t:none,log,deny"
# Works
SecRule QUERY_STRING "^-[sdcr].*"
"phase:1,id:1420701,t:none,t:urlDecodeUni,t:removeWhitespace,deny,log,msg:'Potential
PHP-CGI Exploit Attempt',logdata:%{matched_var}"
SecRuleEngine On
</IfModule>
The rule 1420701 triggers correctly (as shown via
curl "http://192.168.178.70/?-s";
)
However the rule 1420001 doesn't trigger (as shown by
curl "http://192.168.178.70/?a=/proc/self/environ";
)
On an older Linux (Ubuntu 14.04 with modsecurity 2.7.7-2) both rules
work all right, so this (apparently) isn't a case of ARGS not working
"by principle" in phase 2.
Unfortunately, popular open rule collections such as CRS use phase 2 a
lot (... and for instance RFI is not triggered by curl
"http://192.168.178.70/?a=http://www.somewhere.com"; when CRS is
installed, but it is triggered correctly with CRS on the older Ubuntu)
So just changing phase 2 into phase 1 is not an option, as this would
require changing half of CRS, and risking breaking something else.
Any ideas how to fix this?
Thanks,
Alain
