Dauerwaldweg wrote:

Corresponding pattern match:

modsecurity_crs_40_generic_attacks.conf:

1. HTTP Response Splitting #

SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \

"phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'1'"

reg. Stevie, http://webserver-management.de

Can you provide an example link or at least the relevant part of the url?

Also, what version of SMW are you using?

@Hans Meiser Any news on this? Pls do not let SMW down on this one in case it is a security issue

Dauerwaldweg wrote:

Happens while pagination:

http://gif-wiki.de/w/Spezial:Semantische_Suche/-5B-5BImmo_AG_hoch::x-5D-5D/-3FImmo-20AG-20hoch/offset%3D2/limit%3D2

Version-Info:

http://gif-wiki.de/w/Spezial:Version

c u Hans Meiser

Maybe it is my lack of technical knowledge but what exactly is the security issue here?

I tried to follow the links and I could not find any hint of what is going wrong.
Could you iterate on:

1. What is the exact problem?

2. What has to be different to make the problem go away?

3. or what should be done to satisfy modsecurity (I assume most people might not be sufficiently carry knowledge about modsecurity related topics, so explaining how that connects to SMW would be nice.)

Those questions might seem a bit far but people try to help and only after they understand what issues are involved they might can come up with a solution.

Dauerwaldweg wrote:

Sorry MWJames, I'm currently very busy- and will provide further investigations or a complete solution as soon as possible to the community- if I can. By the way, this issue can be avoided by hinti
ng/disabling the corresponding rule in ModeSecurity. The issue can have been reproduced by analizing the Apache/ModeSecurity log files while running the WAF.

c u

Decreasing to minor as neither me nor MWJames can see the issue and no further description is provided for now