This project is archived and is in readonly mode.

#690 new
Christian Nolte

Response Splitting Attack reported by mod_security

Reported by Christian Nolte | July 24th, 2008 @ 03:45 PM | in 3.x

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

I use the apache proxy to forward traffic to mongrel. The apache has

mod_security enabled and since I made an update to Rails 2.1.0

mod_security blocks access with the following message:

[24/Jul/2008:16:13:36 +0200]

[myhost/sid#988eef8][rid#a29a550][/myapp/][1] Access denied with code

400 (phase 2). Pattern match "%0[ad]" at REQUEST_HEADERS:Cookie. [id

"950910"] [msg "HTTP Response Spli

tting Attack. Matched signature <%0a>"] [severity "ALERT"]

I don't know what exactly is causing this. I am using

restful_authentication.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.7 (GNU/Linux)

Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIiJUVCNjA0nfhW7wRApu8AKDk9LU37uOpdogLGcnjJM+PG8r+qQCgl48P

VMDMiC0VZpXzAW5OOwyc+LE=

=NIF1

-----END PGP SIGNATURE-----

Comments and changes to this ticket

  • Daniel Tsadok

    Daniel Tsadok October 6th, 2008 @ 11:56 PM

    I have the exact same issue - it seems to be related to the way Rails handles its cookies, particularly CRLF's: http://en.wikipedia.org/wiki/HTT...

    So could this be a security issue in Rails? The Wikipedia page suggests URL-encoding the cookies...

    (I'm not a security expert - I just want to get my app to work with mod_security. What I wrote above is simply what I've gathered from a bit of research)

  • Ryan Stenhouse

    Ryan Stenhouse October 29th, 2008 @ 01:42 PM

    This issue is still present. For time time being, switching to using the Active Record session store is a viable work around - however something as serious as this does need to be addressed.

    Specific issue:

    Message: Access denied with code 400 (phase 2). Pattern match "%0[ad]" at REQUEST_HEADERS:Cookie. [id "950910"] [msg "HTTP Response Splitting Attack. Matched signature <%0a>"] [severity "ALERT"]

    While the CRs and LFs in the response body are being properly URI-Encoded (%0A), it is still enough to trigger the alert from mod_security. I for one am certainly not going to turn off part of mod_security's protection for my application although I'm sure mod_security could be tweaked to be more lenient for the requests being sent from Apache to Mongrel.

    One solution would be to cease using the Cookie Session Store as the default and reverting back to the old database driven approach, especially since this is a security issue (albeit a minor one).

  • DHH

    DHH October 30th, 2008 @ 10:38 AM

    • Assigned user set to “Rick”
  • Pratik

    Pratik March 13th, 2009 @ 11:00 AM

    • Assigned user changed from “Rick” to “Michael Koziarski”
    • Title changed from “Rails 2.1.0: mod_security reports a Response Splitting Attack” to “Response Splitting Attack reported by mod_security”

    Any idea koz ?

  • Ryan Bigg
  • Jeremy Kemper

    Jeremy Kemper May 4th, 2010 @ 06:48 PM

    • Milestone changed from 2.x to 3.x
  • Ryan Bigg

    Ryan Bigg November 8th, 2010 @ 01:53 AM

    Automatic cleanup of spam.

  • bingbing

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Pages