headers
marks mlists | 1 Sep 13:07
Picon

Output Filters with mod_jk2


Hello modsec guys,

I am sure someone already used modsecurity on a webserver which is
connecting to tomcat servers. I am running into the following problem:

Having rules like SecFilterSelective OUTPUT "evilstring" is working fine
as long as the document containing that evilstring is being served by
apache itself or of course, via mod_proxy. But it does not work like I
want it to with mod_jk(2).

If I request a page within a context mapped by mod_jk, p.e.
/app/evilfile containing the string, I get a successful pattern match:
mod_security: Access denied with code 200. Pattern match "evilstring"
at OUTPUT [uri "/app/evilfile"]

but

I am not receiving my standard error page for 404, 200, 500, 302 or
whatever I configure. I always get this reply (Yes I use 200s):

HTTP/1.1 200 OK
Date: Thu, 01 Sep 2005 10:54:19 GMT
Server: masked 1.0
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>200 OK</title>
(Continue reading)

Permalink | Reply | 5 comments |
headers
Ivan Ristic | 1 Sep 17:40
Gravatar

Re: Output Filters with mod_jk2

marks mlists wrote:
> Hello modsec guys,
> 
> I am sure someone already used modsecurity on a webserver which is
> connecting to tomcat servers. I am running into the following problem:
> 
> Having rules like SecFilterSelective OUTPUT "evilstring" is working fine
> as long as the document containing that evilstring is being served by
> apache itself or of course, via mod_proxy. But it does not work like I
> want it to with mod_jk(2).
> 
> If I request a page within a context mapped by mod_jk, p.e.
> /app/evilfile containing the string, I get a successful pattern match:
> mod_security: Access denied with code 200. Pattern match "evilstring"
> at OUTPUT [uri "/app/evilfile"]

   From the above log message it would appear mod_security is configured
   to respond with status code 200.

   What happens when you use:

   SecFilterSelective OUTPUT evilstring log,deny,status:404

   ?

> So does someone of you have a clue what to do or where to have a look
> at? Thanks in advance.

   We need to look at your configuration files and, possibly,
   your debug log entries at level 9. Look here for the instructions:
(Continue reading)

Permalink | Reply | 4 comments |
headers
marks mlists | 2 Sep 11:24
Picon

Re: Output Filters with mod_jk2


Hello Ivan,

first, it is the same with 404s. It is just a 404 header and message:

 HTTP/1.1 404 Not Found
 Date: Fri, 02 Sep 2005 08:19:54 GMT
 Server: 5
 Connection: close
 Content-Type: text/html; charset=iso-8859-1

 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
 <title>404 Not Found</title>
 </head><body>
 <h1>Not Found</h1>
 <p>The requested URL /fpi/testi.html was not found on this server.</p>
 <p>Additionally, a 404 Not Found
 error was encountered while trying to use an ErrorDocument to handle
 the request.</p>
 </body></html>

Maybe I was able to find something new regarding that. I have to explain
that the intention was to catch tomcats 404 error pages and instead
redirect the user or show him the general webserver error page. So I
created a 404 output rule (see it below, normally it should read
SecFilterSelective OUTPUT "HTTP Status 4[0-9][0-9]" but anyway).
I used evilstring as a placeholder in my last email. In fact, matching
evilstring works just fine. The real evil message which does not work is
that tomcat 404 page. That means: having the two output rules found
(Continue reading)

Permalink | Reply | 3 comments |
headers
Ryan Barnett | 2 Sep 13:05
Picon
Gravatar

Re: Output Filters with mod_jk2

Take a look at your debug output.  It is catching the 404 text string in the html body of the response and not the HTTP headers.  The quick answer to your situation is that the output filtering of mod_security looks at the body of the response and not the HTTP header info.  One thing that you could try would be to use proxying of some sort with Apache.  I found that when you use the proxy module, mod_security will look at the entire response (headers + body).
 
Give it a try and let me know.
 
--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

 
On 9/2/05, marks mlists <mlist <at> msnx.de> wrote:

Hello Ivan,

first, it is the same with 404s. It is just a 404 header and message:

HTTP/1.1 404 Not Found
Date: Fri, 02 Sep 2005 08:19:54 GMT
Server: 5
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /fpi/testi.html was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle
the request.</p>
</body></html>

Maybe I was able to find something new regarding that. I have to explain
that the intention was to catch tomcats 404 error pages and instead
redirect the user or show him the general webserver error page. So I
created a 404 output rule (see it below, normally it should read
SecFilterSelective OUTPUT "HTTP Status 4[0-9][0-9]" but anyway).
I used evilstring as a placeholder in my last email. In fact, matching
evilstring works just fine. The real evil message which does not work is
that tomcat 404 page. That means: having the two output rules found
below and browsing the tomcat context, acess to a file containing
"evilstring" is being restricted fine with no internal server error. So
no problem there. But if you are tring to access a document inside the
context which is not there causing tomcat to send a 404 page to the
webserver, the 404 is being matched, but the custom error page is not
being delivered. So we have a pattern match and we can control the
headers (the header will be what is in mod_security.conf) but apache
gives back the internal server error as above (Just as if it could not
find the error page).

OK, so I created a file (testi.html) containing exactly the tomcat error
message. You can browse that file, modsecurity matches the 404 output
and you get the configured error page as expected. When I removed that
file and tried to access it again, tomcat was sending his 404 code and
the described error occured. You can see the requests in the L9 debug.

The only difference between the tomcat 404 and the webpage containing
exactly the same html code I can see is:

1. There is a trailing NULL at the end of the created webpage
2. The header sent by tomcat. When accessing the file, tomcat sends

HTTP/1.1 200 OK
ETag: W/"996-1125649082000"
Last-Modified: Fri, 02 Sep 2005 08:18:02 GMT
Content-Type: text/html
Content-Length: 996
Date: Fri, 02 Sep 2005 09:04:44 GMT
Server: Apache-Coyote/1.1
Connection: close

and after removing the file tomcat outputs

HTTP/1.1 404 /fpi/testi.html
Content-Type: text/html;charset=utf-8
Content-Length: 997
Date: Fri, 02 Sep 2005 09:05:55 GMT
Server: Apache-Coyote/1.1
Connection: close

Maybe it is about communication betwenn apache and mod_jk, where
modsecurity is not involved. But we can match that 404!?
Just have a look at the attached log. Maybe you have got an idea.
And here is my (stripped) config:

SecChrootDir /usr/local/jail
SecFilterEngine On
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
SecFilterCheckCookieFormat On
SecFilterNormalizeCookies On
SecFilterScanOutput On
SecFilterOutputMimeTypes "(null) text/html text/plain"
SecFilterForceByteRange 8 255
SecServerSignature "5"
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDefaultAction "deny,log,pause:2231,status:404"
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 9
SecFilterSelective OUTPUT "evilstring"
SecFilterSelective OUTPUT "404"


Thanks in advance!
-mark


Ivan Ristic wrote:
> marks mlists wrote:
>
>> Hello modsec guys,
>>
>> I am sure someone already used modsecurity on a webserver which is
>> connecting to tomcat servers. I am running into the following problem:
>>
>> Having rules like SecFilterSelective OUTPUT "evilstring" is working fine
>> as long as the document containing that evilstring is being served by
>> apache itself or of course, via mod_proxy. But it does not work like I
>> want it to with mod_jk(2).
>>
>> If I request a page within a context mapped by mod_jk, p.e.
>> /app/evilfile containing the string, I get a successful pattern match:
>> mod_security: Access denied with code 200. Pattern match "evilstring"
>> at OUTPUT [uri "/app/evilfile"]
>
>
>   From the above log message it would appear mod_security is configured
>   to respond with status code 200.
>
>   What happens when you use:
>
>   SecFilterSelective OUTPUT evilstring log,deny,status:404
>
>   ?
>
>> So does someone of you have a clue what to do or where to have a look
>> at? Thanks in advance.
>
>
>   We need to look at your configuration files and, possibly,
>   your debug log entries at level 9. Look here for the instructions:
>   http://www.modsecurity.org/documentation/support-request-checklist.html
>


[/fpi/testi.html[2 sec_check_access_early: Early processing activated
[/fpi/testi.html[2 sec_check_access: Got called for request 187090
[/fpi/testi.html[9 Stored msr (187ed8) in r (187090)
[/fpi/testi.html[4 Normalised REQUEST_URI: "/fpi/testi.html"
[/fpi/testi.html[2 Parsing arguments...
[/fpi/testi.html[3 Content-Type is not available
[/fpi/testi.html[2 read_post_payload: Content-Length not available, chunked encoding not detected - assuming no request body
[/fpi/testi.html[4 Time #1: 0 usec
[/fpi/testi.html[4 Time #2: 0 usec
[/fpi/testi.html[2 sec_check_access: Got called for request 187090
[/fpi/testi.html[9 Found msr (187ed8) in r (187090)
[/fpi/testi.html[4 sec_check_access: Ignoring request that was already processed
[/fpi/testi.html[9 sec_insert_filter: Starting
[/fpi/testi.html[9 Found msr (187ed8) in r (187090)
[/fpi/testi.html[2 scan_pre: Adding output filter
[/fpi/testi.html[3 sec_filter_out: start
[/fpi/testi.html[9 Found msr (187ed8) in r (187090)
[/fpi/testi.html[3 sec_filter_out: Content-Type = "text/html"
[/fpi/testi.html[3 sec_filter_out: got Content-Length 996
[/fpi/testi.html[3 sec_filter_out: got 996 bytes, bufused=0, buflen=996
[/fpi/testi.html[3 sec_filter_out: start
[/fpi/testi.html[3 sec_filter_out: done reading
[/fpi/testi.html[2 Checking signature "404" at OUTPUT
[/fpi/testi.html[4 Checking against "<html><head><title>Apache Tomcat/5.0.28 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - /fpi/teti.html</h1><HR size=\"1\" noshade=\"noshade\"><p><b>type</b> Status report</p><p><b>message</b> <u>/fpi/teti.html</u></p><p><b>description</b> <u>The requested resource (/fpi/teti.html) is not available.</u></p><HR size=\"1\" noshade=\"noshade\"><h3>Apache Tomcat/5.0.28</h3></body></html>\x0
[/fpi/testi.html[1 Access denied with code 404. Pattern match "404" at OUTPUT
[/fpi/testi.html[1 Pausing [/fpi/testi.html for 2231 ms
[/error.asis[2 sec_check_access_early: Early processing activated
[/error.asis[2 sec_check_access: Got called for request 18dc20
[/error.asis[9 Found msr (187ed8) in r->prev (187090)
[/error.asis[2 sec_check_access: Filtering off, not an initial request
[/error.asis[2 sec_check_access: Got called for request 18dc20
[/error.asis[9 Found msr (187ed8) in r->prev (187090)
[/error.asis[2 sec_check_access: Filtering off, not an initial request
[/error.asis[9 sec_insert_filter: Starting
[/error.asis[9 Found msr (187ed8) in r->prev (187090)
[/error.asis[2 sec_insert_filter: Skipping, output filtering already completed
[/error.asis[9 Found msr (187ed8) in r->prev (187090)
[/error.asis[2 sec_audit_logger_serial: start
[/error.asis[9 sec_audit_logger_serial: is_relevant=1, should_body_exist=0, is_body_read=0
[/fpi/testi.html[2 sec_check_access_early: Early processing activated
[/fpi/testi.html[2 sec_check_access: Got called for request 189098
[/fpi/testi.html[9 Stored msr (189ee0) in r (189098)
[/fpi/testi.html[4 Normalised REQUEST_URI: "/fpi/testi.html"
[/fpi/testi.html[2 Parsing arguments...
[/fpi/testi.html[3 Content-Type is not available
[/fpi/testi.html[2 read_post_payload: Content-Length not available, chunked encoding not detected - assuming no request body
[/fpi/testi.html[4 Time #1: 0 usec
[/fpi/testi.html[4 Time #2: 0 usec
[/fpi/testi.html[2 sec_check_access: Got called for request 189098
[/fpi/testi.html[9 Found msr (189ee0) in r (189098)
[/fpi/testi.html[4 sec_check_access: Ignoring request that was already processed
[/fpi/testi.html[9 sec_insert_filter: Starting
[/fpi/testi.html[9 Found msr (189ee0) in r (189098)
[/fpi/testi.html[2 scan_pre: Adding output filter
[/fpi/testi.html[3 sec_filter_out: start
[/fpi/testi.html[9 Found msr (189ee0) in r (189098)
[/fpi/testi.html[3 sec_filter_out: Content-Type = "text/html;charset=utf-8"
[/fpi/testi.html[3 sec_filter_out: got Content-Length 997
[/fpi/testi.html[3 sec_filter_out: got 997 bytes, bufused=0, buflen=997
[/fpi/testi.html[3 sec_filter_out: start
[/fpi/testi.html[3 sec_filter_out: done reading
[/fpi/testi.html[2 Checking signature "404" at OUTPUT
[/fpi/testi.html[4 Checking against "<html><head><title>Apache Tomcat/5.0.28 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - /fpi/testi.html</h1><HR size=\"1\" noshade=\"noshade\"><p><b>type</b> Status report</p><p><b>message</b> <u>/fpi/testi.html</u></p><p><b>description</b> <u>The requested resource (/fpi/testi.html) is not available.</u></p><HR size=\"1\" noshade=\"noshade\"><h3>Apache Tomcat/5.0.28</h3></body></html>
[/fpi/testi.html[1 Access denied with code 404. Pattern match "404" at OUTPUT
[/fpi/testi.html[1 Pausing [/fpi/testi.html for 2231 ms
[/fpi/testi.html[9 Found msr (189ee0) in r (189098)
[/fpi/testi.html[2 sec_audit_logger_serial: start
[/fpi/testi.html[9 sec_audit_logger_serial: is_relevant=1, should_body_exist=0, is_body_read=0


SunOS xx 5.9 Generic_118558-06 sun4u sparc SUNW,Sun-Fire-V210

Server version: Apache/2.0.54
Server built:   May 24 2005 17:07:25
Server's Module Magic Number: 20020903:9
Architecture:   32-bit
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_FCNTL_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/usr/local/apache2"
-D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c






Permalink | Reply | 2 comments |
headers
marks mlists | 5 Sep 11:00
Picon

Re: Output Filters with mod_jk2


Hello Ryan,

thanks for your answer. Please see my qutoes below.

Thank you!
-mark

Ryan Barnett wrote:
> Take a look at your debug output.  It is catching the 404 text string in
> the html body of the response and not the HTTP headers.  The quick
> answer to your situation is that the output filtering of mod_security
> looks at the body of the response and not the HTTP header info. 

OK, but am I right when thinking that there is no difference between the
two requests in the log regarding output filtering? In both cases the
string is matched in the body (which is sufficient for me in this
situation). But for the second request, the error page is not delivered.
If we found a way to deliver that error page correctly, everything would
be great.

What do you think about the idea "...Maybe it is about communication
betwenn apache and mod_jk, where modsecurity is not involved"."? Could
that be a possible problem?

> One thing that you could try would be to use proxying of some sort with
> Apache.  I found that when you use the proxy module, mod_security will
> look at the entire response (headers + body).

thanks for your suggestion. I think filtering with the upcoming
proxy_ajp module could be working without a problem, but for now we
cannot switch to mod_proxy because we need those load balancing features
that mod_jk2 offers. I tested it with mod_proxy, and as you mentioned,
there was no problem. Within the other pages (some are served with
mod_proxy) output filtering is fine.

> Give it a try and let me know.
>  
> -- 
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> 
>  
> On 9/2/05, *marks mlists* <mlist <at> msnx.de <mailto:mlist <at> msnx.de>> wrote:
> 
>     The only difference between the tomcat 404 and the webpage containing
>     exactly the same html code I can see is:
> 
>     1. There is a trailing NULL at the end of the created webpage
>     2. The header sent by tomcat. When accessing the file, tomcat sends
> 
>     HTTP/1.1 200 OK
>     ETag: W/"996-1125649082000"
>     Last-Modified: Fri, 02 Sep 2005 08:18:02 GMT
>     Content-Type: text/html
>     Content-Length: 996
>     Date: Fri, 02 Sep 2005 09:04:44 GMT
>     Server: Apache-Coyote/1.1
>     Connection: close
> 
>     and after removing the file tomcat outputs
> 
>     HTTP/1.1 404 /fpi/testi.html
>     Content-Type: text/html;charset=utf-8
>     Content-Length: 997
>     Date: Fri, 02 Sep 2005 09:05:55 GMT
>     Server: Apache-Coyote/1.1
>     Connection: close
> 
>     Thanks in advance!
>     -mark
> 

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 5 Sep 11:42
Gravatar

Re: Output Filters with mod_jk2

marks mlists wrote:
>
> If we found a way to deliver that error page correctly, everything would
> be great.

   Hi Mark,

   Thank you for the debugging information. Just from looking at it
   I could conclude the problem lies in the interaction between
   Apache and mod_jk2, possibly mod_security too. To investigate the
   problem further I will install mod_jk2 and Tomcat, and look at
   how it works.

   I'll try to do this by the end of the week.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Permalink | Reply | 0 comments |
headers
Ivan Ristic | 8 Sep 10:33
Gravatar

Re: disable mod_security per REMOTE_ADDR

Achim Hoffmann wrote:
> for testing a live platform I need to disable mod_security.
> I know that SecFilterSelective can be triggered on REMOTE_ADDR, but I'm 
> unshure if it can
> be used to disable *all* tests for a specific IP without changing all 
> rules from
> SecFilter to SecFilterSelective.

   The code in the CVS is now capable of dynamically enabling or
   disabling mod_security per request. It uses the MODSEC_ENABLE
   environment variable. If the variable exists it will override
   the SecFilterEngine directive. The parameters are the same (ie
   On, Off, DynamicOnly).

   Example:

   SetEnvIfNoCase Remote_Addr ^192\.168\.2\.12$ \
   "MODSEC_ENABLE=Off"

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Permalink | Reply | 0 comments |
headers
Brümmer, Dirk (IT | 8 Sep 13:14

Apache2 Mod Sec Static

Hello,
Is there a change to build Mod Security Staticaly to Apache 2 or will this work only for Apache 2
 
Much thanks for your Help
Dirk
Permalink | Reply | 1 comment |
headers
Brümmer, Dirk (IT | 8 Sep 12:56

Modsecurity Static Build

Hello,
Is there a change to build Mod Security Staticaly to Apache 2 or will this work only for Apache 2
 
Much thanks for your Help
Dirk
Permalink | Reply | 0 comments |
headers
Hugh Beaumont | 8 Sep 23:17
Picon
Favicon

xmlrpc.php

Has anyone came up with a good rule for blocking xmlprc.php (used by drupal and wordpress I
believe among others). It has some exploits for it.

I am trying to get a good ruleset to block the file but still allow access for users who have
updated their file to a good/patched version.

Any ideas? I'm curious if anyone else has put an effective block on it. 

	
		
______________________________________________________
Click here to donate to the Hurricane Katrina relief effort.
http://store.yahoo.com/redcross-donate3/

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Permalink | Reply | 0 comments |

Gmane