headers
Vinci | 4 May 18:49
Picon
Favicon

HTTP 413,417 instead of 400?

Hi all,

I am trying to testing my server ability with the mod_security.
While testing, I found double Content-Length will give me http 413
instead of http 400, which I found in both access log and audit log;
but the browser give me http 413
(This appear in another server as well)

Also, same condition appear in Expect attack, 417 received instead of
400, which I trying to insert javascript code in the Expect header
field.

Can anybody give me explanation? I am using the default rule set with
default setting only.

Thank you,
Vic

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Permalink | Reply |
headers
Ryan Barnett | 4 May 21:43

Re: HTTP 413,417 instead of 400?

What versions of Apache and ModSecurity are you using?  As reference,
you can also look at this previous thread on this topic -
http://thread.gmane.org/gmane.comp.apache.mod-security.user/3286/focus=3
300

-Ryan 

> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Vinci
> Sent: Sunday, May 04, 2008 12:50 PM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] HTTP 413,417 instead of 400?
> 
> Hi all,
> 
> I am trying to testing my server ability with the mod_security.
> While testing, I found double Content-Length will give me http 413
> instead of http 400, which I found in both access log and audit log;
> but the browser give me http 413
> (This appear in another server as well)
> 
> Also, same condition appear in Expect attack, 417 received instead of
> 400, which I trying to insert javascript code in the Expect header
> field.
> 
> Can anybody give me explanation? I am using the default rule set with
> default setting only.
> 
> Thank you,
(Continue reading)

Permalink | Reply |
headers
Vinci | 5 May 07:41
Picon
Favicon

Re: HTTP 413,417 instead of 400?

Dear Ryan,

(Sorry reply to my replying mail directly)
Thank you for your kindly reply.
I am using apache2-mpm-worker 2.2.4, the latest mod_security. All the
setting except path I am using the default value.

I have read the thread, just want some clarification: If I see the
thing like "Apache Error:..... Invalid Content-Length", that means
apache throw out the error and skip the rest of the mod_security?

Also I didn't see the line "Message: Error reading request body: HTTP
Error 413 - Request entity too large. (Most likely.)", But   "Message:
Access denied with code 400 (phase 2). Match of "rx ^\\d+$" against
"REQUEST_HEADERS:Content-Length" required. [id "960016"] [msg
"Content-Length HTTP header is not numeric"] [severity "CRITICAL"]"
only.

I will go to double check the log. (Or did my Debug or Log level is
too low in order to see the message?)

Thank you,
Vic

2008/5/5 Ryan Barnett <Ryan.Barnett <at> breach.com>:
> What versions of Apache and ModSecurity are you using?  As reference,
>  you can also look at this previous thread on this topic -
>  http://thread.gmane.org/gmane.comp.apache.mod-security.user/3286/focus=3
>  300
>
(Continue reading)

Permalink | Reply |

Gmane