ModSecurity 2.9.7 install on Windows is blocking access to some local URL

[adrianglendinningGPI]

Describe the bug

Hi, we found that installing ModSec 2.9.7 on an application server, it is breaking our Test Execution Framework tests. A prent site is accessible no problem

https://ab1.testsite.com works fine

BUT

If i run a curl to

https://ab1.testsite.com/mw/ws/lui/luinternal.asmx

It times out

Works fine on an identical server with no Modsec installed

Logs and dumps

Output of:

1. DebugLogs (level 9) - Nothing shows in the debug log for this behaviour even when set to the highest level
2. AuditLogs - Nothing shows in the audit log for this behaviour even when set to the highest level
3. Error logs - Nothing in the error logs
4. If there is a crash, the core dump file. - No dump file

Notice: Be carefully to not leak any confidential information.

To Reproduce

Steps to reproduce the behavior:

See above for steps to reproduce

Expected behavior

A clear and concise description of what you expected to happen.

Should see curl complete full access to the site

Instead it just hangs

• Trying x.x.x.x:443...
• TCP_NODELAY set
• Connected to x.x.x.x (x.x.x.x) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
• ALPN, server did not agree to a protocol
• Server certificate:
• subject: CN=*.testsite.com
• start date: Jan 2 17:07:23 2025 GMT
• expire date: Mar 9 23:04:06 2026 GMT
• issuer: DC=com; DC=testsite; CN=testsite.com
• SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

GET /mw/ws/lui/lu/internal.asmx HTTP/1.1
Host: ab1.testsite.com
User-Agent: curl/7.67.0
Accept: /

^C

Rule Set (please complete the following information):

No rule is being used

Additional context

None

[airween]

@adrianglendinningGPI,

sorry to say but I'm afraid nobody can help you with available information that you provide.

It would be nice to see the webserver's config at least (the relevant part).

[adrianglendinningGPI]

Hi Ervin, Yeah, sorry I didnt have more info up there. Is it the Modsecurity config you want to see, or the IIS config for the site itself? Thanks Adrian

…

On Thu, Jan 9, 2025 at 9:40 AM Ervin Hegedus ***@***.***> wrote: @adrianglendinningGPI <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_adrianglendinningGPI&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=WEj3Uy0NBoaASQJFrYvWZb6JBGR6wZjLk126rWZfKH-_PB2haDAyZLaM4gfo3lvQ&s=xs10m6eYrU0vO5-Gx6mOVseWOAvAqKlFTxpHYx0kl-A&e=> , sorry to say but I'm afraid nobody can help you with available information that you provide. It would be nice to see the webserver's config at least (the relevant part). — Reply to this email directly, view it on GitHub <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_owasp-2Dmodsecurity_ModSecurity_issues_3323-23issuecomment-2D2579595533&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=WEj3Uy0NBoaASQJFrYvWZb6JBGR6wZjLk126rWZfKH-_PB2haDAyZLaM4gfo3lvQ&s=O_Fuydq0sSztQVtg91QhbSPzbTbP0mo7VDn8iWz2QuQ&e=>, or unsubscribe <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_BGXPVGJWGPTV7LC2SJ5AD332JY7W7AVCNFSM6AAAAABUZ7X7B6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZZGU4TKNJTGM&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=WEj3Uy0NBoaASQJFrYvWZb6JBGR6wZjLk126rWZfKH-_PB2haDAyZLaM4gfo3lvQ&s=IfTDWhMDoDbWmrwJuKVENtkMjjDzhF195vYZHSmbycY&e=> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- NOTICE: This email message is for the sole use of the addressee(s) named above and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this message or any attachments is expressly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies and backups of the original message.

[airween]

Hi @adrianglendinningGPI,

sorry, I was thinking you use Apache2 on Windows.

Could you turn off ModSecurity in IIS to check that if it's the cause? (Do not uninstall, just disable the module)

[adrianglendinningGPI]

Thanks Ervin, I'll try that, so far the only way I can access the URL is by uninstalling Modsec, but I haven't tried disabling the module, will try shortly

…

On Thu, Jan 9, 2025 at 10:18 AM Ervin Hegedus ***@***.***> wrote: Hi @adrianglendinningGPI <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_adrianglendinningGPI&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=8Hh4BPbGWKxePvd-o77nisFdgqQJAdOAtAmRFjRoNG--Sn8M41ZiOOdUXd2vyDY2&s=Fb_J9P9xUGg6VYU_4VK4GCFBYhh_Aj9ZonFikCmzGuI&e=> , sorry, I was thinking you use Apache2 on Windows. Could you turn *off* ModSecurity in IIS to check that if it's the cause? (Do not uninstall, just disable the module) — Reply to this email directly, view it on GitHub <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_owasp-2Dmodsecurity_ModSecurity_issues_3323-23issuecomment-2D2579707342&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=8Hh4BPbGWKxePvd-o77nisFdgqQJAdOAtAmRFjRoNG--Sn8M41ZiOOdUXd2vyDY2&s=28Uy2g-qMYQfOPI1HXvia8kEUuP9sZpoPUTMCFgwZTo&e=>, or unsubscribe <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_BGXPVGNUSSAR4EE45PWTV332JZEG7AVCNFSM6AAAAABUZ7X7B6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZZG4YDOMZUGI&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=8Hh4BPbGWKxePvd-o77nisFdgqQJAdOAtAmRFjRoNG--Sn8M41ZiOOdUXd2vyDY2&s=TGjIIdaxGMEwPKyUcUS5mDDx2017bSHsN3i-eE9v1A0&e=> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- NOTICE: This email message is for the sole use of the addressee(s) named above and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this message or any attachments is expressly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies and backups of the original message.

[adrianglendinningGPI]

Hi Ervin, Im not sure if there is another way to disable the modsec module, ive tried disabling by setting this to false at the sub URL level, still seeing the same issue [image: image.png] On Thu, Jan 9, 2025 at 10:47 AM Adrian Glendinning < ***@***.***> wrote:

…

Thanks Ervin, I'll try that, so far the only way I can access the URL is by uninstalling Modsec, but I haven't tried disabling the module, will try shortly On Thu, Jan 9, 2025 at 10:18 AM Ervin Hegedus ***@***.***> wrote: > Hi @adrianglendinningGPI > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_adrianglendinningGPI&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=8Hh4BPbGWKxePvd-o77nisFdgqQJAdOAtAmRFjRoNG--Sn8M41ZiOOdUXd2vyDY2&s=Fb_J9P9xUGg6VYU_4VK4GCFBYhh_Aj9ZonFikCmzGuI&e=> > , > > sorry, I was thinking you use Apache2 on Windows. > > Could you turn *off* ModSecurity in IIS to check that if it's the cause? > (Do not uninstall, just disable the module) > > — > Reply to this email directly, view it on GitHub > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_owasp-2Dmodsecurity_ModSecurity_issues_3323-23issuecomment-2D2579707342&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=8Hh4BPbGWKxePvd-o77nisFdgqQJAdOAtAmRFjRoNG--Sn8M41ZiOOdUXd2vyDY2&s=28Uy2g-qMYQfOPI1HXvia8kEUuP9sZpoPUTMCFgwZTo&e=>, > or unsubscribe > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_BGXPVGNUSSAR4EE45PWTV332JZEG7AVCNFSM6AAAAABUZ7X7B6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZZG4YDOMZUGI&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=8Hh4BPbGWKxePvd-o77nisFdgqQJAdOAtAmRFjRoNG--Sn8M41ZiOOdUXd2vyDY2&s=TGjIIdaxGMEwPKyUcUS5mDDx2017bSHsN3i-eE9v1A0&e=> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

-- NOTICE: This email message is for the sole use of the addressee(s) named above and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this message or any attachments is expressly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies and backups of the original message.

[airween]

Hi Ervin, Im not sure if there is another way to disable the modsec module, ive tried disabling by setting this to false at the sub URL level, still seeing the same issue [image: image.png]

Unfortunately the image is not visible.

Anyway, if IIS uses the same configuration directives as Apache, then you should use

SecRuleEngine Off

[adrianglendinningGPI]

Ah ok, sorry about that, yeah ive tried with the secruleengineoff and I still cant curl to that site. Uninstalling Modesc only thing that seems to work unfortunately.

…

On Thu, Jan 9, 2025 at 12:29 PM Ervin Hegedus ***@***.***> wrote: Hi Ervin, Im not sure if there is another way to disable the modsec module, ive tried disabling by setting this to false at the sub URL level, still seeing the same issue [image: image.png] Unfortunately the image is not visible. Anyway, if IIS uses the same configuration directives as Apache, then you should use SecRuleEngine Off — Reply to this email directly, view it on GitHub <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_owasp-2Dmodsecurity_ModSecurity_issues_3323-23issuecomment-2D2580037627&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=VK4K5XtInTq_PT94bjJngoND57F0jVLWnyLeNjr_0ubky6Rgs1MWCcBokR4nSyvL&s=d4n2dv7xWS7OMDsSxKH50mQZGx1PIszTCwjmg5xGUD8&e=>, or unsubscribe <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_BGXPVGMFKVFMDQRNETKJS5L2JZTRXAVCNFSM6AAAAABUZ7X7B6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOBQGAZTONRSG4&d=DwMFaQ&c=zQ6tLaF7dShu6emFdFLQLeh4ApIjUVDHmN_RmdGFa9g&r=iWlGAcZs8vsxjjqL0KvKkJRUY28mkbN9qpVHA6bjTANFKKxpEJDSrdFDMdXKoKnw&m=VK4K5XtInTq_PT94bjJngoND57F0jVLWnyLeNjr_0ubky6Rgs1MWCcBokR4nSyvL&s=8rGaKT1rWzvdZszve-Mrsm8SZoZT1uSKb66hDeJBWdk&e=> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- NOTICE: This email message is for the sole use of the addressee(s) named above and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this message or any attachments is expressly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies and backups of the original message.