Unexpected Response Injection in ModSecurity-nginx

Question

Unexpected Response Injection in ModSecurity-nginx

Opened this issue 10 months ago · 7 comments

I am encountering unexpected behavior when using ModSecurity-nginx with a specific commit of the ModSecurity-nginx repository.

Starting from commit 62639fa (dated June 18, 2024),
I noticed that ModSecurity began injecting unexpected data into the response.

This issue was not present in commit ef64996 (dated May 23, 2024), which was the last working version for me.

My build script use these repositories

NGINX_REPO="https://github.com/nginx/nginx.git"

MODSECURITY_REPO="https://github.com/SpiderLabs/ModSecurity.git"

MODSECURITY_NGINX_REPO="https://github.com/SpiderLabs/ModSecurity-nginx.git"
MODSECURITY_NGINX_TARGET_COMMIT="ef64996aedd4bb5fa1831631361244813d48b82f"

CORERULESET_REPO="https://github.com/coreruleset/coreruleset.git"

Starting from commit 62639fa,
I noticed that websites behind the reverse proxy began returning unexpected/random
characters in the response.

I attempted to download a file, such as example.com/test.png, through the reverse proxy.
When I compared the MD5 checksum of the file downloaded on the client versus the file on the server, the checksums did not match.

This issue does not occur with commit ef64996.
This indicates that something introduced in commit 62639fa is modifying or injecting data into the responses.

I’m not very experienced with reporting issues, but I want to ensure this is as helpful as possible.
if there’s anything specific you need from me—logs,
configurations, or additional details—please let me know,
and I’ll be happy to provide them.

Answer 1 · 2025-01-18T08:30:32.000Z

@dbc-ca,

thanks for report - please check #336, we are fighting with this issue :).

Answer 2 · 2025-01-19T15:51:47.000Z

same problem :O

Answer 3 · 2025-01-19T16:16:22.000Z

drexlma commented 10 months ago

Answer 4 · 2025-01-19T18:11:25.000Z

@drexlma,

thanks - the issue is under investigation. See #336.

Answer 5 · 2025-01-20T13:27:38.000Z

Hi @dbc-ca and @drexlma ,

I ran into a similar issue and I was able to work around it by setting SecResponseBodyAccess to Off after including /etc/nginx/modsecurity/modsecurity.conf. Maybe this helps you until @airween and the rest of the team comes up with a real solution.

Answer 6 · 2025-01-30T13:44:42.000Z

I faced the same issue and after referring to #336, it looks like setting the following makes it work (no issues notices so far):

proxy_buffer_size 128k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 128k;

Had been literally pulling my hair searching for modsecurity broken images. This thread needs some SEO :)

Sorry, I spoke too soon.

I'm on commit fb678c5 (broken)

Answer 7 · 2025-02-02T04:13:13.000Z

Thank you @sharmashivanand !

I was getting
zero size buf in writer t:0 r:0 f:0 0000000000000000 0000000000000000-0000000000000000 0000000000000000 0-0 while sending to client
in my log, and the client was only getting half of the expected response body.

I had my proxy buffer disabled. Easy fix, after I finally found your comment.