ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

SecRuleUpdateActionById may not replace non-disruptive, non-additive actions

Open martinhsv opened this issue 2 years ago • 0 comments

SecRuleUpdateActionById can successfully be used to:

  • add actions where multiple of the same action is allowed in a rule (e.g. setvar)
  • overwrite disruptive actions (e.g. change 'deny' to 'pass')
  • add a non-disruptive, non-additive action when that action did not already exist in the rule

However, existing actions that are neither a replacement for a 'disruptive' action nor additive to previous actions do not get replaced as expected. E.g. with:

#SecRule ARGS "@rx 000" "id:98001,phase:2,deny,status:403,msg:'abc'"
#SecRuleUpdateActionById 98001 "msg:'def'"

... the msg content 'abc' is what will appear in the audit log.

In ModSecurity v2, the substitute text ('def') would appear in the log.

martinhsv avatar Jul 12 '23 14:07 martinhsv