Bug in mod_security

[batata004]

Hi,

I've been using mod_security for a long time and it's great but recently I discovered a bug that many customers of mine always complained but I didnt care. Today I decided trying to solve it and I discovered it's a bug with mod_security.

I am running Apache 2.4 in Centos 7 with the most updated version of mod_security installed using "yum install mod_security". The bug is this:

when a user tries to upload 2 or more files using any upload plugin (like valums or jquery.onprogress event) that send each file using a php POST request and my php file generates a random number with rand(0,999999) function from PHP library for some reason the number generated in all file upload is the same. When I disable the mod_security (adding # in front of LOADMODULE) the rand number is generated fine.

For example: if you try to upload 3 files using valums, for each file the plugin will request the script /server/php.php in the server trying to send the 3 files (I can see that with the Chrome developer tools F12). When the upload is completed my script under server/php.php generates a random number to save each file with a random number and this number happens to be exactly the same for the 3 files when mod_security is enabled. Is 3 files have about the same size the problems happens at about 90% of the time, but if the 3 files have very different sizes the problem does not happen and the random generated number is different.

I can only make this bug go away if I disable mod_security (which is not a good idea cause I recently get attacked in my server) or to generate the file names using microtime(true) cause doing so the file name will not be random but will have an incremental number according to the microtime it was processed.

I am sorry if I could not explain this bug clearer but I did not find any easier way to do so. If you need additional details I will be glad to provide. I hope mod_security community can help solve this bug or at least point me in the right direction explaining why the rand(0,99999) is generating the same number accross different requests done in a close interval of time

[zimmerle]

Hi @gilperon,

Thanks for the report. Can you tell me your ModSecurity version? Actually, it will be interesting to have the details about ModSecurity that appears at your error_log when you start your Apache. It should be something like:

[...] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[...] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[...] ModSecurity: PCRE compiled version="8.31 "; loaded version="8.31 2012-07-06"
[...] ModSecurity: LUA compiled version="Lua 5.1"
[...] ModSecurity: LIBXML compiled version="2.9.1"

Br.,
F.

[batata004]

Hi,

Thank you for trying to fix this bug. My Mod_Security version is:

mod_security-2.7.3-5.el7.x86_64

It's the latest possible version to install with "yum install mod_security"
in Centos 7. I would like to install mod_security 2.8 but it's not possible
cause my server strucutre only allows installing applications with yum
install.

If you need any other information I will be glad to tell!

GLAUCO PERON

• Website: http://www.sitepor500.com.br
  http://www.sitepor500.com.br/?assinatura Telefone: +55 48 9653 - 6260
  GTalk: gilperon@gmail.com gilperon@gmail.com E-mail profissional:
  contato@sitepor500.com.br contato@sitepor500.com.br Skype: gilperon *

2014-10-01 17:04 GMT-03:00 Felipe Zimmerle notifications@github.com:

Hi @gilperon https://github.com/gilperon,

Thanks for the report. Can you tell me your ModSecurity version? Actually,
it will be interesting to have the details about ModSecurity that appears
at your error_log when you start your Apache. It should be something like:

[...] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[...] ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
[...] ModSecurity: PCRE compiled version="8.31 "; loaded version="8.31 2012-07-06"
[...] ModSecurity: LUA compiled version="Lua 5.1"
[...] ModSecurity: LIBXML compiled version="2.9.1"

Br.,
F.

—
Reply to this email directly or view it on GitHub
#778 (comment)
.

[batata004]

zimmerle There is no message in my error_log! It all looks fine despite the fact the rand(0,99999) still generates the same number when 2 or more requests begin about at the same time.

It's important to say that if I try to generate random numbers with rand(0,9999) in a GET request evertyghing works fine, but when there is a POST request with a file then the rand(0,999999) generates the same number if other request is also completed at the same time

[micha137]

I had the same problem of PHP's rand() giving the same sequence of random numbers in different apache processes if they were created/forked in the same second. I avoided it with PHP's mt_rand().

But since you narrowed it down to mod_security, we come closer to a real solution:

PHP's rand only uses libc's rand. So something in an apache process must be calling libc's srand() with wrong argument. mod_security calls srand() in 3 places, two of which look fine:

https://github.com/SpiderLabs/ModSecurity/search?utf8=%E2%9C%93&q=srand

apache2/modsecurity.c:226 is suspect, because it only calls srand() with a different value every second:

srand(time(NULL));

This call of srand must be removed.

[batata004]

micha137 thank you so much!!! I am happy someone had the same problem and could reproduce it. I was trying to create a code to reproduce it easily but I cant cause the bug only happens when there is a POST with file being sent. If I create a script test.php and insert a loop from 1-1000 saving the output of rand(0,99999) at every cycle it will be a different number! BUT if I do the same loop inside a script that receives a file from a POST request this same loop will show 1000 times the same "random" number!

I can only say thank you to you! But I still dont know how to solve the problem as you said. You are saying I should just find the line "srand(time(NULL));" in the file modsecurity.c and remove it? Will it not break modsecurity with the lack of this line?

[batata004]

My last comment was not very right. The loop generates different numbers also in the POST but to check the problem you need to make 2 files upload in different proccesses at the same time, doing so both pages will show the same random numbers!

[batata004]

YEEAAAH!!!! I can reproduce the bug!!!! Very easily! It does not need to be a POST! You just need to run the following code and it will output the bug!! It's bellow. Just save it as .php in a server with mod-security enabled and you will see the bug!

http://pastebin.com/8ELAnmdp

[batata004]

I installed the bug in the link bellow so you can see. Both iframes show the same random number being generate cause both iframes load almost at the same second and it causes the random sequences to be equal!

http://quemfazsite.com.br/em_criacao/modelo9/teste.php

[zimmerle]

Hi @gilperon,

@micha137 provided a patch to this problem which was already merged into our mainline, can you check our git versions to confirm that the bug has gone? If you need any help to test it please let me know.

Obrigado,
F.