ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

Confusing behaviour with variable remote_addr (behaviour depends on mod_remoteip being loaded)

Open taladar opened this issue 5 years ago • 1 comments

We are using mod_rpaf to populate useragent_ip (the C source variable in the request record) among other things that mod_remoteip completely ignores (HTTPS, Port,...).

We have been using this setup for years and it works for all other Apache modules, log files, access control,...

Now we are trying to implement WAF using mod_security2 (initially on Debian stretch but later also on other versions and distributions) which apparently was not using the useragent_ip for the CRS DoS protection. Apparently the CRS uses the mod_security2 variable remote_addr for this (took me quite a while to figure out that it was not the regular Apache Core variable REMOTE_ADDR too which does use the correct value).

I checked the source code of mod_security2 in the version we use on Debian stretch and it appears the variable remote_addr returns useragent_ip when mod_remoteip is loaded and remote_addr otherwise.

`/* REMOTE_ADDR */

static int var_remote_addr_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { #if !defined(MSC_TEST) #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 3 if (ap_find_linked_module("mod_remoteip.c") != NULL) { if(msr->r->useragent_ip != NULL) msr->remote_addr = apr_pstrdup(msr->mp, msr->r->useragent_ip); return var_simple_generate(var, vartab, mptmp, msr->remote_addr); } #endif #endif

return var_simple_generate(var, vartab, mptmp, msr->remote_addr);

} `

This special case is completely nonsensical to me, considering mod_rpaf and others are taken into account in other places in the code, e.g. when registering hooks.

In my opinion mod_security2 should behave like any other Apache module and not implement behavior changes depending on which module populates these variables.

I also feel that it is very confusing to have the behavior of the mod_security2 variable remote_addr and the core variable REMOTE_ADDR to differ in this respect.

The Apache Source-Code unconditionally returns useragent_ip for this variable.

taladar avatar Sep 27 '19 13:09 taladar

Would love to have this fixed

tomsommer avatar Jul 13 '22 07:07 tomsommer