Apache 403 Forbidden error handling and duplicate HTTP response headers

[ablanken]

Describe the bug

I'm using Apache httpd on Windows to proxy requests to Tomcat for specific subdirectories, but not /.
Requests for any other resource paths should return the standard Forbidden response.

When CRS 4.1.0 is loaded with the default config, requests for undefined resource paths return an unusual error message appended to the bottom of the usual 403 Forbidden page, and custom HTTP response headers are duplicated.

Request handling for defined proxy request paths (both standard and 'bad' requests e.g. ?/bin/bash etc) appears to be fine.

The issue does not seem to occur with v3.3.5.

Steps to reproduce

The following PowerShell (run as admin) on Win 10/Server 2019 and above will help to set up a repro. Note that you may need to disable AV scanning or add specific exceptions if the Defender AV exclusions aren't appropriate for your machine.

$BaseDir = "C:\Repro"
mkdir "$BaseDir\Sources"
cd "$BaseDir\Sources"

## Defender AV Path Exclusions for CRS
Set-MpPreference -ExclusionPath 'C:\Repro\Sources\' 
Set-MpPreference -ExclusionPath 'C:\Repro\Apache24\conf\crs\'

$userAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
$ProgressPreference = "SilentlyContinue"

wget https://www.apachelounge.com/download/VS17/binaries/httpd-2.4.59-240404-win64-VS17.zip -outfile httpd-2.4.59-240404-win64-VS17.zip -userAgent $userAgent
wget https://www.apachelounge.com/download/VS17/modules/mod_security-2.9.7-win64-VS17.zip -outfile mod_security-2.9.7-win64-VS17.zip -userAgent $userAgent
wget https://aka.ms/vs/17/release/VC_redist.x64.exe -outfile vc_redist.x64.exe
wget https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v2/master/modsecurity.conf-recommended -outfile modsecurity.conf-recommended
wget https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v2/master/unicode.mapping -outfile unicode.mapping
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.1.0.zip -outfile crs-v4.1.0.zip

$zipFiles = Get-ChildItem -Filter *.zip
foreach ($zipFile in $zipFiles) {
	Expand-Archive $zipFile.Name
}

copy httpd-*\Apache24 \Repro\ -Recurse
copy mod_security-*\*\*.so \Repro\Apache24\Modules
copy mod_security-*\*\yajl.dll \Repro\Apache24\bin
mkdir \Repro\Apache24\conf\modsecurity
copy modsecurity.conf-recommended \Repro\Apache24\conf\modsecurity\modsecurity.conf
copy unicode.mapping \Repro\Apache24\conf\modsecurity
mkdir \Repro\Apache24\tmp
rmdir \Repro\Sources\Apache*\ -Recurse

$modSecConfContent = Get-Content -Path "\Repro\Apache24\conf\modsecurity\modsecurity.conf"
$modSecConfContent = $modSecConfContent -replace 'SecRuleEngine DetectionOnly', 'SecRuleEngine On'
$modSecConfContent = $modSecConfContent -replace 'SecTmpDir /tmp/', 'SecTmpDir tmp'
$modSecConfContent = $modSecConfContent -replace 'SecDataDir /tmp/', 'SecDataDir tmp'
$modSecConfContent = $modSecConfContent -replace 'SecAuditLog /var/log/modsec_audit.log', 'SecAuditLog logs/modsec_audit.log'
$modSecConfContent | Set-Content -Path "\Repro\Apache24\conf\modsecurity\modsecurity.conf"

copy \Repro\Sources\crs-*\coreruleset-*\ \Repro\Apache24\conf\crs\ -Recurse
ren \Repro\Apache24\conf\crs\crs-setup.conf.example crs-setup.conf

$httpdConfExtraContent = @"

Header always set HeaderOne "1"
Header always set HeaderTwo "2"
Header always set HeaderThree "3"

LoadModule security2_module modules/mod_security2.so

Include conf/modsecurity/modsecurity.conf
Include conf/crs/crs-setup.conf
#Include conf/crs/plugins/*-config.conf
#Include conf/crs/plugins/*-before.conf
Include conf/crs/rules/*.conf
#Include conf/crs/plugins/*-after.conf

"@

Add-Content -Path "\Repro\Apache24\conf\httpd.conf" -Value $httpdConfExtraContent
$httpdConfContent = Get-Content -Path "\Repro\Apache24\conf\httpd.conf"
$httpdConfContent = $httpdConfContent -replace 'Define SRVROOT "c:/Apache24"', 'Define SRVROOT "C:\Repro\Apache24"'
$httpdConfContent = $httpdConfContent -replace '#ServerName www.example.com:80', 'ServerName www.example.com:80'
$httpdConfContent = $httpdConfContent -replace 'DocumentRoot "\${SRVROOT}/htdocs"', '#DocumentRoot "${SRVROOT}/htdocs"'
$httpdConfContent = $httpdConfContent -replace '#LoadModule headers_module modules/mod_headers.so', 'LoadModule headers_module modules/mod_headers.so'
$httpdConfContent = $httpdConfContent -replace '#LoadModule unique_id_module modules/mod_unique_id.so', 'LoadModule unique_id_module modules/mod_unique_id.so'
$httpdConfContent | Set-Content -Path "\Repro\Apache24\conf\httpd.conf"

Start-Process -FilePath "\Repro\Sources\vc_redist.x64.exe" -ArgumentList "/install", "/quiet", "/norestart" -Wait

Write-Host "Starting httpd..."
\Repro\Apache24\bin\httpd

Expected behaviour

Browse to "http://localhost/"

• The standard Apache 403 Forbidden error page displays without the following text "Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."
• Custom response headers are not duplicated.

Actual behaviour

Additional context

This issue does not occur with v.3.3.5.

Here's a debug log entry:

--29000000-A--
[22/Apr/2024:22:49:32.274613 +1200] ZiZAvP81uSk7OfVgzl51IQAAACg ::1 55122 ::1 80
--29000000-B--
GET / HTTP/1.1
Host: localhost
Connection: keep-alive
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="124", "Microsoft Edge";v="124", "Not-A.Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9,en-NZ;q=0.8

--29000000-F--
HTTP/1.1 403 Forbidden
HeaderOne: 1
HeaderTwo: 2
HeaderThree: 3
HeaderOne: 1
HeaderTwo: 2
HeaderThree: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

--29000000-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

--29000000-H--
Message: Access denied with code 403 (phase 4). Operator GE matched 0 at TX:blocking_outbound_anomaly_score. [file "C:/Repro/Apache24/conf/crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "243"] [id "959100"] [msg "Outbound Anomaly Score Exceeded (Total Score: 0)"] [ver "OWASP_CRS/4.1.0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"]
Apache-Error: [file "C:\\VS17\\Win64\\httpd-2.4\\modules\\aaa\\mod_authz_core.c"] [line 879] [level 3] AH01630: client denied by server configuration: C:/apache
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client ::1] ModSecurity: Access denied with code 403 (phase 4). Operator GE matched 0 at TX:blocking_outbound_anomaly_score. [file "C:/Repro/Apache24/conf/crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "243"] [id "959100"] [msg "Outbound Anomaly Score Exceeded (Total Score: 0)"] [ver "OWASP_CRS/4.1.0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "localhost"] [uri "/"] [unique_id "ZiZAvP81uSk7OfVgzl51IQAAACg"]
Action: Intercepted (phase 4)
Stopwatch: 1713782972273612 1001 (- - -)
Stopwatch2: 1713782972273612 1001; combined=0, p1=0, p2=0, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); OWASP_CRS/4.1.0.
Server: Apache/2.4.59 (Win64)
Engine-Mode: "ENABLED"

--29000000-K--
SecRule "RESPONSE_BODY" "!@pmFromFile sql-errors.data" "phase:4,auditlog,id:951100,t:none,nolog,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-disclosure,tag:OWASP_CRS,tag:capec/1000/118/116/54,ver:OWASP_CRS/4.1.0,skipAfter:END-SQL-ERROR-MATCH-PL1"

SecRule "RESPONSE_STATUS" "!@rx ^404$" "phase:4,log,auditlog,id:954130,block,capture,t:none,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:application-multi,tag:language-multi,tag:platform-iis,tag:platform-windows,tag:attack-disclosure,tag:paranoia-level/1,tag:OWASP_CRS,tag:capec/1000/118/116,tag:PCI/6.5.6,ver:OWASP_CRS/4.1.0,severity:ERROR,chain"
#SecRule "RESPONSE_BODY" "@rx \\bServer Error in.{0,50}?\\bApplication\\b" "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}"

SecAction "phase:4,auditlog,id:959059,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.1.0,setvar:tx.blocking_outbound_anomaly_score=0"

SecAction "phase:4,auditlog,id:959159,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.1.0,setvar:tx.detection_outbound_anomaly_score=0"

SecRule "TX:BLOCKING_OUTBOUND_ANOMALY_SCORE" "@ge %{tx.outbound_anomaly_score_threshold}" "phase:4,log,auditlog,id:959100,deny,t:none,msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',tag:anomaly-evaluation,tag:OWASP_CRS,ver:OWASP_CRS/4.1.0"

SecAction "phase:5,id:980099,pass,t:none,nolog,noauditlog,tag:OWASP_CRS,ver:OWASP_CRS/4.1.0,setvar:tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score},setvar:tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score},setvar:tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score},setvar:tx.detection_anomaly_score=+%{tx.detection_outbound_anomaly_score},setvar:tx.anomaly_score=%{tx.blocking_inbound_anomaly_score},setvar:tx.anomaly_score=+%{tx.blocking_outbound_anomaly_score}"

SecRule "TX:DETECTION_ANOMALY_SCORE" "@eq 0" "phase:5,auditlog,id:980043,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.1.0,skipAfter:END-REPORTING"

If rule id:959100 is removed, expected behaviour returns.
It appears that during the 959100 rule evaluation, the outbound anomaly limit is empty so defaults to 0.

Your Environment

• CRS version (e.g., v3.2.0): 4.1.0
• Paranoia level setting: 1
• ModSecurity version: 2.9.7
• Web Server and version: apache 2.4.59
• Operating System and version: Windows 10 & Windows Server 2022

[ablanken]

I was not able to reproduce this on Alma 9.3 with a similar configuration

[theseion]

Hi @ablanken.

Thanks for the detailed report.

Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client ::1] ModSecurity: Access denied with code 403 (phase 4). Operator GE matched 0 at TX:blocking_outbound_anomaly_score. [file "C:/Repro/Apache24/conf/crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "243"] [id "959100"] [msg "Outbound Anomaly Score Exceeded (Total Score: 0)"] [ver "OWASP_CRS/4.1.0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "localhost"] [uri "/"] [unique_id "ZiZAvP81uSk7OfVgzl51IQAAACg"]

This line says that your tx.outbound_anomaly_score_threshold is set to 0. So it makes sense that ModSecurity will run the deny action. Every request will be denied. I don't see how any request would ever return 200.

[ablanken]

That's what's odd - it should be using the default value of 4 as I have not changed the value. I can attempt to set it to any value in the crs-setup.conf file but that makes no difference.

[dune73]

This is very odd.

I think you need to dump the value of tx.outbound_anomaly_score_threshold across various points in the execution (-> start and end of every phase) to understand why it's 0.

This is either a funny malfunction or you have some additional configuration laying around.

Here is how to dump a value:

SecRule TX:outbound_anomaly_score_threshold "." "id:1001,phase:1,pass,log,msg:'Outbound anomaly threshold, phase 1: %{MATCHED_VAR}'"

[ablanken]

Thanks @dune73 - it seems like this logging only works for requests to allowed proxy paths.

I enabled level 9 debug logging which shows that quite a few steps are missing for requests to disallowed paths.

Variable initialisation only happens with requests to allowed paths:

Request to allowed proxy path:

[23/Apr/2024:21:58:11.143898 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Initialising transaction (txid ZieGMwdTRuHYl8XIl72HugAAPwA).
[23/Apr/2024:21:58:11.143898 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Transaction context created (dcfg 14527b39080).
[23/Apr/2024:21:58:11.143898 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] First phase starting (dcfg 14527b39080).
[23/Apr/2024:21:58:11.143898 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Starting phase REQUEST_HEADERS.
[23/Apr/2024:21:58:11.143898 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][9] This phase consists of 243 rule(s).
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Recipe: Invoking rule 145287ef158; [file "D:/Apache/HTTP Server/conf/modsecurity/modsecurity.conf"] [line "23"] [id "200000"].
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][5] Rule 145287ef158: SecRule "REQUEST_HEADERS:Content-Type" "@rx ^(?:application(?:/soap\\+|/)|text/)xml" "phase:1,auditlog,id:200000,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Rule returned 0.
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][9] No match, not chained -> mode NEXT_RULE.
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Recipe: Invoking rule 145287e4d10; [file "D:/Apache/HTTP Server/conf/modsecurity/modsecurity.conf"] [line "30"] [id "200001"].
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][5] Rule 145287e4d10: SecRule "REQUEST_HEADERS:Content-Type" "@rx ^application/json" "phase:1,auditlog,id:200001,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Rule returned 0.
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][9] No match, not chained -> mode NEXT_RULE.
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Recipe: Invoking rule 145287f1580; [file "D:/Apache/HTTP Server/conf/crs/crs-setup.conf"] [line "820"] [id "900990"].
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][5] Rule 145287f1580: SecAction "phase:1,auditlog,id:900990,pass,t:none,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.1.0,setvar:tx.crs_setup_version=410"
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Transformation completed in 0 usec.
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][9] Target value: "11.11.11.11"
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][4] Operator completed in 0 usec.
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][9] Setting variable: tx.crs_setup_version=410
[23/Apr/2024:21:58:11.144900 +1200] [webhost.url/sid#145287d9ee8][rid#1452b1c1c20][/AllowedProxyPath][9] Set variable "tx.crs_setup_version" to "410".



Request to Disallowed root path:

[23/Apr/2024:21:57:30.865719 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Initialising transaction (txid ZieGCloDXkQloP3yhsmL3wAAPwA).
[23/Apr/2024:21:57:30.865719 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Transaction context created (dcfg 24658a53d70).
[23/Apr/2024:21:57:30.865719 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Hook insert_error_filter: Adding output filter (r 2465c1d8740).
[23/Apr/2024:21:57:30.865719 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][9] Output filter: Receiving output (f 2465c1db368, r 2465c1d8740).
[23/Apr/2024:21:57:30.865719 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Starting phase RESPONSE_HEADERS.
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][9] This phase consists of 68 rule(s).
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Recipe: Invoking rule 2465a3916b0; [file "D:/Apache/HTTP Server/conf/crs/rules/RESPONSE-950-DATA-LEAKAGES.conf"] [line "26"] [id "950011"].
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][5] Rule 2465a3916b0: SecRule "TX:DETECTION_PARANOIA_LEVEL" "@lt 1" "phase:3,auditlog,id:950011,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.1.0,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Rule returned 0.
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][9] No match, not chained -> mode NEXT_RULE.
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Recipe: Invoking rule 2465a39f1c8; [file "D:/Apache/HTTP Server/conf/crs/rules/RESPONSE-950-DATA-LEAKAGES.conf"] [line "88"] [id "950013"].
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][5] Rule 2465a39f1c8: SecRule "TX:DETECTION_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:950013,nolog,tag:OWASP_CRS,ver:OWASP_CRS/4.1.0,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Rule returned 0.
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][9] No match, not chained -> mode NEXT_RULE.
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Recipe: Invoking rule 2465a39c4f0; [file "D:/Apache/HTTP Server/conf/crs/rules/RESPONSE-950-DATA-LEAKAGES.conf"] [line "115"] [id "950100"].
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][5] Rule 2465a39c4f0: SecRule "RESPONSE_STATUS" "@rx ^5\\d{2}$" "phase:3,log,auditlog,id:950100,block,capture,t:none,msg:'The Application Returned a 500-Level Status Code',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-disclosure,tag:paranoia-level/2,tag:OWASP_CRS,tag:capec/1000/152,tag:PCI/6.5.6,ver:OWASP_CRS/4.1.0,severity:ERROR,setvar:tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}"
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Transformation completed in 0 usec.
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Executing operator "rx" with param "^5\\d{2}$" against RESPONSE_STATUS.
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][9] Target value: "403"
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Operator completed in 0 usec.
[23/Apr/2024:21:57:30.866723 +1200] [webhost.url/sid#2465970df08][rid#2465c1d8740][/(DisallowedRootPath)][4] Rule returned 0.

[ablanken]

I just tried the same tests using v3.3.5 with the debug log turned on & that also skips the variable init steps when trying to access disallowed paths so that might be a red herring?
v3.3.5 doesn't result in the duplicated response headers and error message being returned to the client though.

[theseion]

Just a guess: it looks like the response rules may be run for all requests but init and request rules only for allowed requests. Not sure how you managed to do that :)

The duplicate headers may be coming from the internal response redirect, which might traverse your Header always set twice.

[dune73]

This might be true.

This is all a very complicated case. It deserves some investigation, but this could be quite time consuming and at least I have no time to dig into this. I guess this will fall back on @ablanken.

[ablanken]

Thanks - I'll see what I can do. If it makes things easier for someone to jump in, I could probably stand up a repro in an Azure VM accessible via RDP or SSH.

[theseion]

Containers would be great, maybe with a docker-compose file. That way, if we break something, we can just star over.

[fzipi]

@ablanken ping.

[ablanken]

I was able to reproduce the problem without the CRS components loaded so we may be able to close the issue here. The next step for me will be to write up my findings and post to the Apache Lounge forums and/or modsec repo for further assistance.

I haven't been able to repro with non-Windows releases to date.

[azurit]

@ablanken Thank you for letting us know!