Problem about proxy action

[prince-java]

Describe the bug

I find a problem about proxy action.
If access a specified webpage file, such as "http://a.com/a/index.html", it can be successfully forwarded.
If access a directory, such as "http://a.com/a/", the error_log can log the url will be forwarded, but actually it cannot be forwarded.

Logs and dumps

[Wed Jun 12 11:04:12.784758 2024] [security2:error] [pid 97647:tid 139691269490432] [client 10.16.18.12:49131] [client 10.16.18.12] ModSecurity: Access denied using proxy to (phase 2) http://www.test1.com/a/index.html. detected XSS using libinjection. [file "/www/server/apache/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "100"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>"] [severity "CRITICAL"] [ver "OWASP_CRS/4.4.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "www.test.com"] [uri "/a/index.html"] [unique_id "ZmkQLMRnhk_2RbFR9ZGHggAAAJI"]

[Wed Jun 12 11:05:46.047957 2024] [security2:error] [pid 97790:tid 139691286275840] [client 10.16.18.12:49213] [client 10.16.18.12] ModSecurity: Access denied using proxy to (phase 2) http://www.test1.com/a/. detected XSS using libinjection. [file "/www/server/apache/conf/modsecurity/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "100"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:id: <script>"] [severity "CRITICAL"] [ver "OWASP_CRS/4.4.0-dev"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "www.test.com"] [uri "/a/"] [unique_id "ZmkQijzeTyiVCq1qyoYiawAAANA"]

To Reproduce

Steps to reproduce the behavior:
curl http://www.test.com/a/index.html?id=<script>
curl http://www.test.com/a/?id=<script>

Expected behavior

If access a directory, it also can be forwarded.

Server (please complete the following information):

• ModSecurity version (and connector): ModSecurity v2.9.7
• WebServer: Apache 2.4.58
• OS (and distro): CentOS 7.9.2009 x86_64

Rule Set (please complete the following information):

• Running any public or commercial rule set? OWASP CRS
• What is the version number? ver.4.4.0-dev

Additional context

The SecDefaultAction configuration is as follows:
SecDefaultAction "phase:1,log,noauditlog,proxy:'[nocanon]http://www.test1.com%{REQUEST_FILENAME}'"
SecDefaultAction "phase:2,log,noauditlog,proxy:'[nocanon]http://www.test1.com%{REQUEST_FILENAME}'"

[marcstern]

Hello.
Can you explain what exactly means "it cannot be forwarded"?
Please set "LogLevel Debug" in httpd.conf and join the error log.

As a side-note, your implementation of forwarding is highly under-performant.
You should have a ProxyPass directive to perform the proxying, not using the "proxy:" action which is intended for exceptions and doesn't use traditional (optimized) pools of connections.

[prince-java]

mod_debug.txt

Hello. Can you explain what exactly means "it cannot be forwarded"? Please set "LogLevel Debug" in httpd.conf and join the error log.

As a side-note, your implementation of forwarding is highly under-performant. You should have a ProxyPass directive to perform the proxying, not using the "proxy:" action which is intended for exceptions and doesn't use traditional (optimized) pools of connections.

If access a specified webpage file, such as "http://a.com/a/index.html",the error_log can log the request will be forwarded, and also the request was successfully forwarded to the honeypot server.
If access a directory, such as "http://a.com/a/", the error_log can log the url will be forwarded, but actually the request is still being executed by the current server, the response returns the HTML of the current server.

I have uploaded the debug log, at the same time I found a clear difference in the debug log between accessing a specified webpage and a directory.
When access "http://www.test.com/a/?id=%3Cscript%3E", the debug log fragments are as follows:
Output filter: Bucket type MMAP contains 923 bytes
When access "http://www.test.com/a/index.html?id=%3Cscript%3E", the debug log fragments are as follows:
Output filter: Bucket type HEAP contains 922 bytes

[marcstern]

MMAP is because the file is read locally, it's normal.
I need the httpd error log, not mod_security2 debug log.

[prince-java]

MMAP is because the file is read locally, it's normal. I need the httpd error log, not mod_security2 debug log.

www.test.com-error_log.txt
Here is the httpd error log.

[marcstern]

Can I have your complete config (sanitized if needed)?

[prince-java]

Can I have your complete config (sanitized if needed)?

httpd.zip

[marcstern]

Some conf files are missing, I cannot see the default action for example. Can you please send them all.
I need this because it seems you have a loop: in case of a rule blocking, you proxy the request to the same server. So /a/ is blocked, proxied to /a/ and resolved to /a/index.html.
Can you ensure you forward the request to another server (not on the same machine)?