owasp/modsecurity-crs:apache server reached MaxRequestWorkers setting

The apache version does an infinite redirect if some /etc/passwd api/navigation url is called.

To Reproduce:

Take this docker file: https://github.com/coreruleset/modsecurity-crs-docker/blob/main/docker-compose.yaml

# start crs-apache service
docker-compose up -d crs-apache

# this will work
curl http://localhost:80/?file=/etc/passwd

# this will crash the webserver
curl http://localhost:80/etc/passwd

Docker logs:

2024-06-27 10:56:53 crs-apache-1  | /usr/local/bin/generate-certificate: generating new certificate
2024-06-27 10:56:53 crs-apache-1  | Warning: No -copy_extensions given; ignoring any extensions in the request
2024-06-27 10:56:53 crs-apache-1  | /usr/local/bin/generate-certificate: generated /usr/local/apache2/conf/server.key and /usr/local/apache2/conf/server.crt
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037390 2024] [ssl:error] [pid 1:tid 140093960431488] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: 2BB69DE0961FA576F1046042882927CBA1C203D9 / notbefore: Jun 27 08:56:53 2024 GMT / notafter: Jun 27 08:56:53 2025 GMT]
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037436 2024] [ssl:error] [pid 1:tid 140093960431488] AH02604: Unable to configure certificate localhost:8443:0 for stapling
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037466 2024] [security2:notice] [pid 1:tid 140093960431488] ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/) configured.
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037468 2024] [security2:notice] [pid 1:tid 140093960431488] ModSecurity: APR compiled version="1.7.2"; loaded version="1.7.2"
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037470 2024] [security2:notice] [pid 1:tid 140093960431488] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037471 2024] [security2:notice] [pid 1:tid 140093960431488] ModSecurity: LUA compiled version="Lua 5.3"
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037472 2024] [security2:notice] [pid 1:tid 140093960431488] ModSecurity: YAJL compiled version="2.1.0"
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037473 2024] [security2:notice] [pid 1:tid 140093960431488] ModSecurity: LIBXML compiled version="2.9.14"
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037474 2024] [security2:notice] [pid 1:tid 140093960431488] ModSecurity: Original server signature: Apache/2.4.59 (Unix) OpenSSL/3.0.11
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.037475 2024] [security2:notice] [pid 1:tid 140093960431488] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.085027 2024] [ssl:error] [pid 1:tid 140093960431488] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / issuer: OU=MyUnit,O=MyOrg,L=NY,ST=NY,C=US,emailAddress=none@none.com,CN=localhost / serial: 2BB69DE0961FA576F1046042882927CBA1C203D9 / notbefore: Jun 27 08:56:53 2024 GMT / notafter: Jun 27 08:56:53 2025 GMT]
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.085054 2024] [ssl:error] [pid 1:tid 140093960431488] AH02604: Unable to configure certificate localhost:8443:0 for stapling
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.087594 2024] [mpm_event:notice] [pid 1:tid 140093960431488] AH00489: Apache/2.4.59 (Unix) OpenSSL/3.0.11 Apache configured -- resuming normal operations
2024-06-27 10:56:54 crs-apache-1  | [Thu Jun 27 08:56:54.087618 2024] [core:notice] [pid 1:tid 140093960431488] AH00094: Command line: 'httpd -D FOREGROUND'
2024-06-27 10:56:59 crs-apache-1  | [Thu Jun 27 08:56:59.851408 2024] [security2:error] [pid 32:tid 140093630314176] [client 172.24.0.1:59528] [client 172.24.0.1] ModSecurity: Warning. Matched phrase "etc/passwd" at ARGS:file. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "116"] [id "930120"] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:file: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.3.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "localhost"] [uri "/"] [unique_id "Zn0pW-L7yAD60VEVxI269gAAAEA"]
2024-06-27 10:56:59 crs-apache-1  | [Thu Jun 27 08:56:59.851533 2024] [security2:error] [pid 32:tid 140093630314176] [client 172.24.0.1:59528] [client 172.24.0.1] ModSecurity: Warning. Matched phrase "etc/passwd" at ARGS:file. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "575"] [id "932160"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: etc/passwd found within ARGS:file: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/4.3.0"] [tag "modsecurity"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "Zn0pW-L7yAD60VEVxI269gAAAEA"]
2024-06-27 10:56:59 crs-apache-1  | [Thu Jun 27 08:56:59.851916 2024] [security2:error] [pid 32:tid 140093630314176] [client 172.24.0.1:59528] [client 172.24.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "233"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [ver "OWASP_CRS/4.3.0"] [tag "modsecurity"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "localhost"] [uri "/"] [unique_id "Zn0pW-L7yAD60VEVxI269gAAAEA"]
2024-06-27 10:56:59 crs-apache-1  | [Thu Jun 27 08:56:59.852079 2024] [security2:error] [pid 32:tid 140093630314176] [client 172.24.0.1:59528] [client 172.24.0.1] ModSecurity: Warning. Unconditional match in SecAction. [file "/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "98"] [id "980170"] [msg "Anomaly Scores: (Inbound Scores: blocking=10, detection=10, per_pl=10-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=5, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=10)"] [ver "OWASP_CRS/4.3.0"] [tag "modsecurity"] [tag "reporting"] [tag "OWASP_CRS"] [hostname "localhost"] [uri "/"] [unique_id "Zn0pW-L7yAD60VEVxI269gAAAEA"]
2024-06-27 10:56:59 crs-apache-1  | {"transaction":{"time":"27/Jun/2024:08:56:59.852108 +0000","transaction_id":"Zn0pW-L7yAD60VEVxI269gAAAEA","remote_address":"172.24.0.1","remote_port":59528,"local_address":"172.24.0.2","local_port":8080},"request":{"request_line":"GET /?file=/etc/passwd HTTP/1.1","headers":{"Host":"localhost","User-Agent":"curl/8.7.1","Accept":"*/*"}},"response":{"protocol":"HTTP/1.1","status":403,"headers":{"Content-Length":"199","Content-Type":"text/html; charset=iso-8859-1"},"body":"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don't have permission to access this resource.</p>\n</body></html>\n"},"audit_data":{"messages":["Warning. Matched phrase \"etc/passwd\" at ARGS:file. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf\"] [line \"116\"] [id \"930120\"] [msg \"OS File Access Attempt\"] [data \"Matched Data: etc/passwd found within ARGS:file: /etc/passwd\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.3.0\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-lfi\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/255/153/126\"] [tag \"PCI/6.5.4\"]","Warning. Matched phrase \"etc/passwd\" at ARGS:file. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"575\"] [id \"932160\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: etc/passwd found within ARGS:file: /etc/passwd\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.3.0\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/88\"] [tag \"PCI/6.5.2\"]","Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"233\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 10)\"] [ver \"OWASP_CRS/4.3.0\"] [tag \"modsecurity\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"]","Warning. Unconditional match in SecAction. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"98\"] [id \"980170\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=10, detection=10, per_pl=10-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=5, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=10)\"] [ver \"OWASP_CRS/4.3.0\"] [tag \"modsecurity\"] [tag \"reporting\"] [tag \"OWASP_CRS\"]"],"error_messages":["[file \"apache2_util.c\"] [line 275] [level 3] [client 172.24.0.1] ModSecurity: Warning. Matched phrase \"etc/passwd\" at ARGS:file. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf\"] [line \"116\"] [id \"930120\"] [msg \"OS File Access Attempt\"] [data \"Matched Data: etc/passwd found within ARGS:file: /etc/passwd\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.3.0\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-lfi\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/255/153/126\"] [tag \"PCI/6.5.4\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"Zn0pW-L7yAD60VEVxI269gAAAEA\"]","[file \"apache2_util.c\"] [line 275] [level 3] [client 172.24.0.1] ModSecurity: Warning. Matched phrase \"etc/passwd\" at ARGS:file. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"575\"] [id \"932160\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: etc/passwd found within ARGS:file: /etc/passwd\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.3.0\"] [tag \"modsecurity\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/152/248/88\"] [tag \"PCI/6.5.2\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"Zn0pW-L7yAD60VEVxI269gAAAEA\"]","[file \"apache2_util.c\"] [line 275] [level 3] [client 172.24.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:blocking_inbound_anomaly_score. [file \"/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"233\"] [id \"949110\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 10)\"] [ver \"OWASP_CRS/4.3.0\"] [tag \"modsecurity\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"Zn0pW-L7yAD60VEVxI269gAAAEA\"]","[file \"apache2_util.c\"] [line 275] [level 3] [client 172.24.0.1] ModSecurity: Warning. Unconditional match in SecAction. [file \"/etc/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf\"] [line \"98\"] [id \"980170\"] [msg \"Anomaly Scores: (Inbound Scores: blocking=10, detection=10, per_pl=10-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=5, RCE=5, PHPI=0, HTTP=0, SESS=0, COMBINED_SCORE=10)\"] [ver \"OWASP_CRS/4.3.0\"] [tag \"modsecurity\"] [tag \"reporting\"] [tag \"OWASP_CRS\"] [hostname \"localhost\"] [uri \"/\"] [unique_id \"Zn0pW-L7yAD60VEVxI269gAAAEA\"]"],"action":{"intercepted":true,"phase":2,"message":"Operator GE matched 5 at TX:blocking_inbound_anomaly_score."},"handler":"proxy-server","stopwatch":{"p1":471,"p2":625,"p3":0,"p4":0,"p5":86,"sr":0,"sw":0,"l":0,"gc":0},"response_body_dechunked":true,"producer":["ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/)","OWASP_CRS/4.3.0"],"server":"Apache/2.4.59 (Unix) OpenSSL/3.0.11","engine_mode":"ENABLED"}}
2024-06-27 10:57:44 crs-apache-1  | [Thu Jun 27 08:57:44.147622 2024] [mpm_event:error] [pid 1:tid 140093960431488] AH00484: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

coreruleset / modsecurity-crs-docker

owasp/modsecurity-crs:apache server reached MaxRequestWorkers setting #266