skip to Main Content

I run my own web server, but after I installed mod_security I was unable to get cross site linking to work, always had an error! So if I tried to post a link on Facebook from my web site (captnslounge.com) I would get the following message:

–fc57c024-H– Message: Access denied with code 403 (phase 2). String match “bytes=0-” at REQUEST_HEADERS:Range. [file
“/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf”] [line “428”] [id “958291”] [rev “2”] [msg “Range: field exists and
begins with 0.”] [data “bytes=0-524287”] [severity “WARNING”] [ver
“OWASP_CRS/2.2.9”] [maturity “6”] [accuracy “8”] [tag
“OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ”] Apache-Error: [file
“apache2_util.c”] [line 271] [level 3] [client 66.220.146.146] ModSecurity: Access denied with code 403 (phase 2). String match
“bytes=0-” at REQUEST_HEADERS:Range. [file
“/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_protocol_violations.conf”] [line “428”] [id “958291”] [rev “2”] [msg “Range: field exists and
begins with 0.”] [data “bytes=0-524287”] [severity “WARNING”] [ver
“OWASP_CRS/2.2.9”] [maturity “6”] [accuracy “8”] [tag
“OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ”] [hostname
“captnslounge.com”] [uri “/”] [unique_id
“W1Y2bxL8tTAdwBlt-JQ6hAAAAAc”] Action: Intercepted (phase 2)
Stopwatch: 1532376687885654 5705 (- – -) Stopwatch2: 1532376687885654
5705; combined=521, p1=396, p2=43, p3=0, p4=0, p5=82, sr=128, sw=0,
l=0, gc=0 Producer: ModSecurity for Apache/2.9.2
(http://www.modsecurity.org/); OWASP_CRS/2.2.9. Server: Apache/2.4.6
Engine-Mode: “ENABLED”

I’ve struggled with this for months. I started turning off rules, but that looked like it was turning into a dangerous idea! I’ve hunted for a “fix” to no avail.

If anyone could point me in the right direction I would be very grateful.

2

Answers


  1. A quick google of the rule id (958291) turns up this post: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/173

    Looks like this rule does cause false positives so should be turned off.

    See also this post for discussion of other rules that cause false positives: Modsecurity: Excessive false positives

    Login or Signup to reply.
  2. You are running an outdated version of the Core Rule Set (-> 2.2.9). You should upgrade to 3.0 as that milestone took out far beyond 90% of the false positives by default.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search