I've been having tonnes of issues with Mod Security. I am busy writing a CMS for a project at work and while developing a page to edit a certain database record I kept getting 403 errors. After hours of banging my head against my desk, adjusting bits of code I finally just changed the script to which my form was being posted, to contain a simple echo "test";. Even submitting to this simple page was kicking up a 403 error. I messed about with my form and I eventually found that if I reduced the amount of data I was posting the form submitted fine (In particular I reduce the amount of text within a textarea).

After checking the logs (Yep, this wasn't the first thing I did - sigh) I noticed that I was getting numerous errors from ModSecurity, such as:

[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//global": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//ip": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "93"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]

I've been messing around, Googling and changing rules for days to no avail. The only thing I seem to be able to do is turn ModSecurity off for this vhost. This is fine by me while I'm developing the CMS, but in production this isn't really something I want to do. Does anyone have any ideas on what is causing this issue and how to sort it? The logs seem to point at some kind of rules to do with regular expression limits, but since changing my post recieving script to just print out the word test I'm not doing anything with them (Though I have tried upping the limits through SecPcreMatchLimit and SecPcreMatchLimitRecursion). It seems rather that there's something wrong with the amount of data I am sending through.

Cheers

Recommended Answers

All 7 Replies

Hi! If your current errors are the same of the above (Aug 2013) there are also few permissions errors, maybe Apache cannot write/read to those DBM files?

Hi, cheers for your reply. This issue has plagued me for a long time so I'm essentially reposting it (I posted it elsewhere originally). I've re-enabled ModSecurity for this vhost and I've given apache access to the relevant logs folder and tried it again. I'm no longer getting those permission denied errors but I'm still getting the following:

ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "HOSTNAME.HERE"] [uri "/admin/index.php"] [unique_id "UtVCLm1shFcAAElrMJoAAAAD"]
ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "93"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "HOSTNAME.HERE"] [uri "/admin/index.php"] [unique_id "UtVCLm1shFcAAElrMJoAAAAD"]

(I've had to type all this out so there might be a few minor mistakes - couldn't find out how to copy from vinagre)

Cheers!

Ok, what is missing here is the rule that generates the error, between Rule and execution error there should be the rule id and the filename in which this is saved.

Try to increase to 9 the level of the mod_security debug log, then reload Apache:

SecDebugLog /tmp/modsecurity_debug.log
SecDebugLogLevel 9

And reload the test page. See if you get other useful information. A part this, it can be useful to see the contents of mod_security.conf.

I went into /etc/httpd/conf.d/mod_security.conf and modified the line SecDebugLogLevel 0 into SecDebugLogLevel 9, then reloaded Apache and reproduced the error as suggested.

Unfortunately I get pretty much the same error. Only difference being the line number it says threw the error (Since I commented out the original line in mod_security.conf.

It seems to be pointing at the following line in my mod_security.conf:

    SecRule TX:/^MSC_/ "!@streq 0" \
            "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

Here's a very basic example of this happening with code:

test.php

<html>
    <body>
        <form action="/formprocess.php" method="POST">
            <textarea name="data"></textarea>
            <input type="submit" value="Submit">
        </form>
    </body>
</html>

formprocess.php

<?php
var_dump($_POST);
?>

Test Input:

this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some test text. this is some 

My error log for this vhost

[Wed Jan 15 14:08:54 2014] [error] [client <IP ADDRESS>] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "<HOSTNAME>"] [uri "/formprocess.php"] [unique_id "UtaWdW1shFcAAE1uMBUAAAAG"]
[Wed Jan 15 14:08:54 2014] [error] [client <IP ADDRESS>] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "<HOSTNAME>"] [uri "/formprocess.php"] [unique_id "UtaWdW1shFcAAE1uMBUAAAAG"]
[Wed Jan 15 14:08:54 2014] [error] [client <IP ADDRESS>] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "94"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "<HOSTNAME>"] [uri "/formprocess.php"] [unique_id "UtaWdW1shFcAAE1uMBUAAAAG"]

It submits fine and I get a var_dump output with:

this is some test text.

I'm absolutely stumped!

Which version of modsecurity module are you using? What I can suggest, for the moment, is to try to reinstall the module by using the newer version.

Also, the modsecurity devs suggests to check if Apache and modsecurity are using the same PCRE library: usually Apache comes with a bundled library, modsecurity instead links to the one used by the operative system. This can lead to unexpected results. To solve it you have to follow these instructions:

In addition, in my previous post I was referring to this error:

ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "<HOSTNAME>"] [uri "/formprocess.php"] [unique_id "UtaWdW1shFcAAE1uMBUAAAAG"]

the PCRE rule in the main config is a general rule that is used by other rule sets. In my box, for example, these rule sets are in:

/usr/share/modsecurity-crs/

And are divided by base, experimental and optional sets. There's also a directory (util) with the regression tests. Now if there are third party rule sets, it may be possible that one of these rules is interfering with the main because is malformed. For this reason I was asking about the rule id and the filename, which is missing from the log. This is strange unless the general log does not return this information, but with the ID you could apply the SecRuleRemoveById directive to stop that particular check.

I don't have other ideas. Bye!

Ok, I'll have a bash with your suggestions and advice. Thanks for the help. I'll post back if I manage to fix it somehow.

Cheers!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.