CODEWITHSUNDEEP
apachemod-security
dangelsaurus
dangelsaurus

Reputation: 7532

ModSecurity - error parsing actions unknown action \\

I'm trying to implement OWASP CRS 3.0.0-rc1 on ModSecurity 2.9.1 (Apache\Ubuntu)

When starting Apache, I'm getting the following error.

AH00526: Syntax error on line 35 of /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf:
Error parsing actions: Unknown action: \\
Action 'configtest' failed.

This is the snippet from the ruleset

RESPONSE-50-DATA-LEAKAGES-PHP.conf:

SecRule RESPONSE_BODY "@pmf php-errors.data" \
    "msg:'PHP Information Leakage',\
    id:'950180',\
    phase:response,\
    ver:'OWASP_CRS/3.0.0',\
    rev:'3',\
    maturity:'9',\
    accuracy:'9',\
    t:none,\
    capture,\
    ctl:auditLogParts=+E,\   THIS IS LINE 35
    block,\

For some reason, if I simply move line 35 up one...

        capture,ctl:auditLogParts=+E,\

It no longer squawks about this file... But I get another error

AH00526: Syntax error on line 31 of /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES.conf:
Error parsing actions: Unknown action: \\

RESPONSE-50-DATA-LEAKAGES.conf:

SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
    "phase:response,\
    rev:'2',\
    ver:'OWASP_CRS/3.0.0',\
    maturity:'9',\
    accuracy:'9',\
    t:none,\       THIS IS LINE 31
    capture,\

which again is solved by combining with the line above it.

accuracy:'9',t:none,\

The odd thing, is that it's NOT the same contents...

I'm just trying to get a handle on what is really causing this error. And would it be a bug in ModSecurity 2.9.1 or rather the RuleSet itself? Or something with how the multi line character is parsed?

Upvotes: 1

Views: 1873

Answers (1)

dune73
dune73

Reputation: 299

It's a known apache bug; fixed in 2.4.11.

https://bz.apache.org/bugzilla/show_bug.cgi?id=55910

Upvotes: 1

Related Questions