mod_security with core rule set returns truncated application 500 response instead of replacing it with 404
Issue
- We use mod_security with the OWASP core rule set. We set it to paranoia level 2 and so expect a rule like below to block any application 500 response from being sent through:
SecRule RESPONSE_STATUS "^5\d{2}$" "phase:4,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'The application is not available',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'970901',tag:'WASCTC/WASC-13',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}"
- But in some cases, we see a truncated 500 app response comes through instead of the httpd 404 response.
Environment
- Red Hat Enterprise Linux (RHEL)
- Apache httpd
- mod_security
- OWASP core rule set
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.