headers
Andras Got | 1 Jul 2005 19:06
Picon

freebsd apache 2.0 w/mod_sec sig11

Hi,

I got sig11 apache dies with mod_security, whenever a SecFilter rule is matched. Is this normal?

Apache 2.0.54 + mod_vhs + mod_security + mod_ssl installed (sig11 occurs both ssl and non-ssl 
requests). The operating system is FreeBSD 5.4-p2, the machine is a brand new Intel Xeon server.

[Fri Jul 01 18:55:53 2005] [error] [client $myip] mod_security: Access denied with code 404. Pattern 
match "(phpbb|awstats|pma|phpmyadmin)" at THE_REQUEST [hostname "myhost"] [uri 
"/sqladmin/css/phpmyadmin.css.php?lang=hu-iso-8859-2&js_frame=right&js_isDOM=1"] [unique_id 
fbAyT38AAAUAALwqmOMAAAAE]
[Fri Jul 01 18:55:54 2005] [notice] child pid 48170 exit signal Segmentation fault (11)

So it works normally but does a segfault at every match.

Thank you for help,
Andrej

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 1 Jul 2005 21:53
Gravatar

Re: freebsd apache 2.0 w/mod_sec sig11

Andras Got wrote:
> Hi,
> 
> I got sig11 apache dies with mod_security, whenever a SecFilter rule is 
> matched. Is this normal?

   Andras and I exchanged a couple of emails privately. The segfault is
   harmless. It occurs if the audit log is enabled but the path to the
   log file is not defined. Disabling the audit engine, or defining the
   path fixes the issue.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Permalink | Reply | 0 comments |
headers
Daniel Fdez. Bleda | 4 Jul 2005 09:35
Favicon

Modifying output buffers "on the fly"

Hello,

I'm trying to modify the content of the buffer send to the user during
the sec_filter_out() function after having in the context the
output_ptr and sizelen of data.

I've done it but when I write in the new allocated out_ptr using the
apr_palloc function and write the new value in len field the user
receives the HTML with the old length, so the page is not complete.

I'm doing this, at first stage, to strip comment code in HTML (libxml2
adds some tabs, spaces and rets that make HTML occupy more space, but
more readable) and later to have signatures to http request to the
site in the HTML to avoid alterations in que request to the server.

Thanks,
--

-- 
_________________________________
Daniel Fernández Bleda
Gerente de cuentas
e-Security Engineer
OPSA/OPST Trainer, CISSP
dfernandez <at> isecauditors.com

Internet Security Auditors, S.L.
c. Santander, 101. Edif. A. 2º 1ª.
08030 Barcelona
Tel: 93 305 13 18
Fax: 93 278 22 48
www.isecauditors.com
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ivan Ristic | 4 Jul 2005 09:54
Gravatar

Re: Modifying output buffers "on the fly"

Daniel Fdez. Bleda wrote:
> Hello,
> 
> I'm trying to modify the content of the buffer send to the user during
> the sec_filter_out() function after having in the context the
> output_ptr and sizelen of data.
> 
> I've done it but when I write in the new allocated out_ptr using the
> apr_palloc function and write the new value in len field the user
> receives the HTML with the old length, so the page is not complete.
> 
> I'm doing this, at first stage, to strip comment code in HTML (libxml2
> adds some tabs, spaces and rets that make HTML occupy more space, but
> more readable) and later to have signatures to http request to the
> site in the HTML to avoid alterations in que request to the server.

   That's probably because there's an old Content-Length header
   present. Try to remove it from r->headers_out as you change the
   output.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ivan Ristic | 4 Jul 2005 17:45
Gravatar

Re: toggle logging of post payload

Thomas Berton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> I'm trying to toggle the logging of the post data of a certain page.
> I'm using mod_security 1.8.7 with Apache 2.0.54. Config is below:
> 
> ~    AddHandler application/x-httpd-php .php
> ~    SecAuditEngine On
> ~    SecAuditLog logs/audit_log
> ~    SecFilterEngine On
> ~    SecFilterDefaultAction "allow,nolog"
> ~    SecFilterScanPOST On
> ~    SecFilterSelective SCRIPT_FILENAME "!(/index.php)$" "allow,log"
> 
> It appears the 'nolog' option does not function the way I had it in mind.
> I hope some of you can give me some pointers how to handle this. The
> actual problem is that certain post data contains high sensitive
> information that I wish to ban from the audit_log file.

   Try using "SecAuditEngine RelevantOnly" instead.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jeff Tharp | 8 Jul 2005 02:29
Favicon

Chroot and worker MPM?

I'm getting a weird error when configuring chroot using SecChrootDir and
using the worker MPM.  Hoping someone else has ran across this before
and has some ideas.

Versions are as follows: Red Hat Enterprise Linux v4, Apache 2.0.54,
ModSecurity 1.8.7 
(Note, Apache was configured with all modules as static, including
ModSecurity)

Relevant configuration bits from /etc/httpd/conf/httpd.conf:

<IfModule worker.c>
ServerLimit          1
ThreadLimit        300
StartServers         0
MaxClients         256
MinSpareThreads      1
MaxSpareThreads    256
ThreadsPerChild    256
MaxRequestsPerChild  0
</IfModule>

# Mod_Security Directives
<IfModule mod_security.c>
        SecChrootDir /var/www
        SecChrootLock /var/lock/modsecurity-chroot.lock
</IfModule>

When I start the server, I get the following in
/var/log/httpd/error_log:
(Continue reading)

Permalink | Reply | 3 comments |
headers
Dr James G Brown | 10 Jul 2005 13:16
Picon

open source web medical records security

Has anyone had experience with using mod security in a web based 
electronic patient record application. I am co developing an open source 
system to be used in the uk possibly the NHS and need advice and 
previous expertise in the security relating to web based 3 tier 
applications especially regarding security any advice would be appreciated

kind regards

Dr James Brown
Sport + Orthopaedic Physician
Wakefield UK
Attachment (james.vcf): text/x-vcard, 238 bytes
Permalink | Reply | 1 comment |
headers
Dan | 11 Jul 2005 06:53

SecChrootDir & Apache Debug Mode


I have a Apache 2.0.54 compiled with mod_security 1.8.7 and I'm using 
SecChrootDir.  I'm trying to figure out why my PHP exec() call is failing 
by using strace.  To run strace I'm starting Apache in debug mode (-X) like 
below:

strace /usr/local/apache2/bin/httpd -X

However, SecChrootDir seems to have a problem when I start Apache in debug 
mode.  I get the following error in the log.

[emerg] mod_security: chroot requested but not completed! Exiting.

This makes it slightly difficult to check my PHP script's exec() with 
strace while in jail.  Is this a known problem?  Is there any work arounds 
or alternative methods to get the debugging information I'm after?

Thanks!

-Dan

-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 11 Jul 2005 14:15
Gravatar

Re: Chroot and worker MPM?

Jeff Tharp wrote:
> I'm getting a weird error when configuring chroot using SecChrootDir and
> using the worker MPM.  Hoping someone else has ran across this before
> and has some ideas.
> 
> Versions are as follows: Red Hat Enterprise Linux v4, Apache 2.0.54,
> ModSecurity 1.8.7 
 >
 > ...
 >
> libgcc_s.so.1 must be installed for pthread_cancel to work
> [Thu Jul 07 17:07:11 2005] [notice] child pid 3428 exit signal Aborted
> (6)

   I can confirm the same happens with stock 2.0.54 on Fedora Core 1,
   although my Apache does not segfault.

   It appears that the required library libgcc_s.so.1 is not loaded
   before chroot takes place (and it certainly cannot be loaded
   afterwards).

   Moving the library into jail worked for me. I placed it into
   ~/apache2/lib. What also worked is an attempt to load the library
   before chroot takes place, from mod_security itself (by creating
   a thread that does nothing.)

   I've made a TODO note for myself to see if this hack is portable at
   all, or whether it can be #ifdef-ed. Getting it to work would be
   really nice, because the internal chroot measure would work really
   well for a multithreaded Apache working as a reverse proxy only.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Ivan Ristic | 11 Jul 2005 14:22
Gravatar

Re: SecChrootDir & Apache Debug Mode

Dan wrote:
> 
> I have a Apache 2.0.54 compiled with mod_security 1.8.7 and I'm using 
> SecChrootDir.  I'm trying to figure out why my PHP exec() call is 
> failing by using strace.

   That's probably because you have no /bin/sh in the jail. PHP requires
   it. In general, the internal chroot mechanism is unlikely to be
   good enough if you have a need to execute external binaries. In such
   cases you are much better off creating a proper jail.

> To run strace I'm starting Apache in debug 
> mode (-X) like below:
> 
> strace /usr/local/apache2/bin/httpd -X
> 
> However, SecChrootDir seems to have a problem when I start Apache in 
> debug mode.  I get the following error in the log.
> 
> [emerg] mod_security: chroot requested but not completed! Exiting.
> 
> This makes it slightly difficult to check my PHP script's exec() with 
> strace while in jail.  Is this a known problem?  Is there any work 
> arounds or alternative methods to get the debugging information I'm after?

   You are right, strace breaks the way the internal chroot mechanism
   works. However, that is only true in 1.8.x. I have been planning to
   make some changes to the internal chroot mechanism in 1.9 and,
   prompted by your email, I made them today. As a side effect of these
   changes strace will work with 1.9.x.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane