ModSecurity/SecRequestBodyAccess does not play well with intercept_form_submit_module in Apache HTTPD.
Issue
- When
ModSecurity/SecRequestBodyAccessis set toOn,POSTed form inputs are not passed toPHP. - Difference in trace logging when set with
SecRequestBodyAccess On/Off
- `SecRequestBodyAccess On`
[Sat May 19 20:06:15.887090 2018] [core:trace3] [pid 7241] request.c(304): [client 127.0.0.1:45214] request authorized without authentication by access_checker_ex hook: /abc.php, referer: http://127.0.0.1/abc.php
[Sat May 19 20:06:15.887174 2018] [intercept_form_submit:debug] [pid 7241] mod_intercept_form_submit.c(416): [client 127.0.0.1:45214] intercept_form_submit_init invoked, referer: http://127.0.0.1/abc.php
[Sat May 19 20:06:15.887190 2018] [intercept_form_submit:debug] [pid 7241] mod_intercept_form_submit.c(440): [client 127.0.0.1:45214] inserted filter intercept_form_submit_filter, starting intercept_form_submit_filter_prefetch, referer: http://127.0.0.1/abc.php
[Sat May 19 20:06:15.887194 2018] [intercept_form_submit:debug] [pid 7241] mod_intercept_form_submit.c(348): [client 127.0.0.1:45214] hit EOS, referer: http://127.0.0.1/abc.php
[Sat May 19 20:06:15.887598 2018] [:error] [pid 7241] [client 127.0.0.1:45214] PHP Notice: Undefined index: username in /var/www/html/rob.php on line 3, referer: http://127.0.0.1/abc.php
[Sat May 19 20:06:15.887614 2018] [:error] [pid 7241] [client 127.0.0.1:45214] PHP Notice: Undefined index: password in /var/www/html/rob.php on line 5, referer: http://127.0.0.1/abc.php
[Sat May 19 20:06:15.887781 2018] [headers:debug] [pid 7241] mod_headers.c(823): AH01502: headers: ap_headers_output_filter()
[Sat May 19 20:06:15.887803 2018] [http:trace3] [pid 7241] http_filters.c(1129): [client 127.0.0.1:45214] Response sent with status 200, headers:, referer: http://127.0.0.1/abc.php
- SecRequestBodyAccess Off
[Sat May 19 20:04:27.423030 2018] [core:trace3] [pid 7001] request.c(304): [client 127.0.0.1:45200] request authorized without authentication by access_checker_ex hook: /abc.php, referer: http://127.0.0.1/abc.php
[Sat May 19 20:04:27.423107 2018] [intercept_form_submit:debug] [pid 7001] mod_intercept_form_submit.c(416): [client 127.0.0.1:45200] intercept_form_submit_init invoked, referer: http://127.0.0.1/abc.php
[Sat May 19 20:04:27.423122 2018] [intercept_form_submit:debug] [pid 7001] mod_intercept_form_submit.c(440): [client 127.0.0.1:45200] inserted filter intercept_form_submit_filter, starting intercept_form_submit_filter_prefetch, referer: http://127.0.0.1/abc.php
[Sat May 19 20:04:27.423136 2018] [intercept_form_submit:info] [pid 7001] [client 127.0.0.1:45200] login found in POST: username=sgdf, referer: http://127.0.0.1/abc.php
[Sat May 19 20:04:27.423142 2018] [intercept_form_submit:info] [pid 7001] [client 127.0.0.1:45200] password found in POST: password=[REDACTED], referer: http://127.0.0.1/abc.php
[Sat May 19 20:04:27.423493 2018] [authnz_pam:warn] [pid 7001] [client 127.0.0.1:45200] PAM authentication failed for user sgdf: System error, referer: http://127.0.0.1/abc.php
[Sat May 19 20:04:27.424291 2018] [headers:debug] [pid 7001] mod_headers.c(823): AH01502: headers: ap_headers_output_filter()
[Sat May 19 20:04:27.424315 2018] [http:trace3] [pid 7001] http_filters.c(1129): [client 127.0.0.1:45200] Response sent with status 200, headers:, referer: http://127.0.0.1/abc.php
Environment
- Red Hat Enterprise Linux
- 6.x, 7.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
