headers
Rude Yak | 2 Oct 20:19
Picon
Favicon

1.9b4 SecFilterRemove question

Hi, folks.  I've been playing with the latest-and-greatest and trying to apply
it to a situation I'm dealing with on one of my servers.  Specifically, I have
a multi-purpose webserver, part of which hosts a weblog.  Whereas, for the
majority of the web server, I can afford to have relatively tight input
filtering, it would be nice to be less restrictive for the weblog.  To wit, I'm
trying the following in my httpd.conf:

<IfModule mod_security.c>

# Defaults
SecFilterEngine DynamicOnly
SecFilterScanPOST On
SecFilterInheritance On
SecFilterCheckCookieFormat On
SecFilterNormalizeCookies On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterForceByteRange 32 122
SecFilterSelective "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, *+-]*$" id:1001
SecFilterSelective COOKIES_VALUES "!^[A-Za-z0-9&./?@_%=:;, !-]*$" id:1002

</IfModule>

Ideally, what I'd like to add is this:

<Location ~ "^/blog/">
SecFilterRemove 1001
</Location>

Now, ignoring for the moment the wisdom of turning off input validation
(Continue reading)

Permalink | Reply | 1 comment |
headers
Rude Yak | 2 Oct 21:26
Picon
Favicon

whitelisting XSS/HTML-injection defense

I've read the portion of the doc that covers XSS, i.e.

<Location /cms/article-update.php>
SecFilterInheritance Off
# other filters here ...
SecFilterSelective "ARGS|!ARG_body" "<.+>"
</Location>

What I would like to know is if anyone has gotten more sophisticated with XSS
defense and tried to whitelist certain tags.  I'm trying to set up a policy
that will allow a few harmless tags (let's say, for argument's sake, that <B>
and <PRE> are considered harmless) but not others.  This has proven to be quite
a challenge.  So far, I've come up with:

SecFilterSelective "ARGS|!ARG_blog-text" "<.+>" id:1501
SecFilterSelective "ARG_blog-text" "<" chain,id:1502
SecFilterSelective "ARG_blog-text" "!<([Bb]|[Pp][Rr][Ee])([ >])" id:1503
SecFilterForceByteRange 9 126

But this (needless to say) doesn't work because a QUERY_STRING that has

blog-text=Abc+def+<B>

will still find the "Abc+def" matching <([Bb]|[Pp][Rr][Ee])([ >]) and be
blocked by the filter.  Has anyone come up with a clever way to whitelist input
this way?  I'm going to keep trying but I'm feeling close-to-stumped right now
:-)

Erick.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Frank | 1 Oct 15:38
Picon

Fedora, Mod-Security, PID issues

Sorry if posted twice. Not sure if mailing from website posts here to.

I am new to mod_security and trying to setup the chroot function in the 
module. Once I configure mod_security in Apache 2, I get cannot find 
httpd.pid error. I saw an earlier post for this which points to missing 
directories.

Does anyone out there have setup info for fedora 4 or previous fedora 
versions? What directories I need and so forth. It is pretty urgent 
situation.

Thanks

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
Permalink | Reply | 1 comment |
headers
Andras Got | 2 Oct 22:16
Picon

Re: Fedora, Mod-Security, PID issues

Hi,

Some libs and the required directory must exists within the chroot. It would be good to know if the 
apache is chrooted with modsec when the pidfile and other files created or checked. For instance 
FreeBSD rc.sub system would search in /var/run not $chroot/var/run.

Frank írta:

> Sorry if posted twice. Not sure if mailing from website posts here to.
> 
> I am new to mod_security and trying to setup the chroot function in the 
> module. Once I configure mod_security in Apache 2, I get cannot find 
> httpd.pid error. I saw an earlier post for this which points to missing 
> directories.
> 
> Does anyone out there have setup info for fedora 4 or previous fedora 
> versions? What directories I need and so forth. It is pretty urgent 
> situation.
> 
> Thanks
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ivan Ristic | 3 Oct 14:21
Gravatar

Re: 1.9b4 SecFilterRemove question

Rude Yak wrote:
> Hi, folks.  I've been playing with the latest-and-greatest and trying to apply
> it to a situation I'm dealing with on one of my servers.  Specifically, I have
> a multi-purpose webserver, part of which hosts a weblog.  Whereas, for the
> majority of the web server, I can afford to have relatively tight input
> filtering, it would be nice to be less restrictive for the weblog.  To wit, I'm
> trying the following in my httpd.conf:
>
> ...
 >
> <Location ~ "^/blog/">
> SecFilterRemove 1001
> </Location>

   You are using the directive correctly. Unfortunately, I broke
   SecFilterImport and SecFilterRemove in 1.9dev4. They are fixed now
   and will correctly in the forthcoming Release Candidate 1 (today).

> Obviously I'm wrong :-)

   It was not obvious to me ;)

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ivan Ristic | 3 Oct 14:26
Gravatar

Re: whitelisting XSS/HTML-injection defense

Rude Yak wrote:
> I've read the portion of the doc that covers XSS, i.e.
> 
> <Location /cms/article-update.php>
> SecFilterInheritance Off
> # other filters here ...
> SecFilterSelective "ARGS|!ARG_body" "<.+>"
> </Location>
> 
> What I would like to know is if anyone has gotten more sophisticated with XSS
> defense and tried to whitelist certain tags.  I'm trying to set up a policy
> that will allow a few harmless tags (let's say, for argument's sake, that <B>
> and <PRE> are considered harmless) but not others.  This has proven to be quite
> a challenge.  So far, I've come up with:
> 
> SecFilterSelective "ARGS|!ARG_blog-text" "<.+>" id:1501
> SecFilterSelective "ARG_blog-text" "<" chain,id:1502
> SecFilterSelective "ARG_blog-text" "!<([Bb]|[Pp][Rr][Ee])([ >])" id:1503
> SecFilterForceByteRange 9 126
> 
> But this (needless to say) doesn't work because a QUERY_STRING that has
> 
> blog-text=Abc+def+<B>
> 
> will still find the "Abc+def" matching <([Bb]|[Pp][Rr][Ee])([ >]) and be
> blocked by the filter.  Has anyone come up with a clever way to whitelist input
> this way?  I'm going to keep trying but I'm feeling close-to-stumped right now
> :-)

   Brave attempt but I don't think it is possible to reliably whitelist
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ivan Ristic | 6 Oct 12:31
Gravatar

[ANNOUNCE] ModSecurity 1.9RC1 has been released


ModSecurity 1.9RC1 has been released. It is available for immediate
download from:

     http://www.modsecurity.org/download/

This is the first release candidate in the 1.9.x branch. A stable
release is expected on Monday, October 31. Users are encouraged to
test this release thoroughly to catch any potentially remaining
problems.

Changes (since 1.9dev4)
-----------------------

A new SecFilterSignatureAction directive was added to allow for the
separation of policy and rule metadata. It allows rules that have
custom action lists to use the list defined with this directive as
a template. Improvements were made to the multipart parser, which
is now more robust and more strict in what it accepts. Several bugs
were fixed. Code clean-ups were made and a new regression testing
tool was added.

About ModSecurity
-----------------
ModSecurity is a web application firewall, designed to protect
vulnerable applications and reject manual and automated attacks.
It is an open source intrusion detection and prevention system. It
can work embedded in Apache, or as a standalone security device when
configured to work as part of an Apache-based reverse proxy.
(Continue reading)

Permalink | Reply | 4 comments |
headers
WALRAVE Stephane | 7 Oct 10:06
Picon

Problems with SecFilterSelective ARG_xxx

Hi
I use mod_security (1.8.7) with SecFilterScanPOST set to "on" to filter POST
variables.

Here is a basic configuration :
...
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:403"
SecFilterCheckURLEncoding On
SecFilterForceByteRange 1 255
SecAuditEngine RelevantOnly
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 2
SecFilterScanPOST On

<Location /app/login.cfm>
#Check for POST method only
SecFilterSelective REQUEST_METHOD !^POST$
SecFilterSelective ARG_VAR1 !^value1$
SecFilterSelective ARG_VAR2 !^value2$
</Location>
...

I made some requests on the machine, using curl :

curl -d "VAR1=value1&VAR2=value2" http://site.com/app/login.cfm
-> correct behavior (request accepted)

curl -d "VAR1=value1&VAR2=foo" http://site.com/app/login.cfm
-> correct behavior (request denied)
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ivan Ristic | 7 Oct 10:34
Gravatar

Re: Problems with SecFilterSelective ARG_xxx

WALRAVE Stephane wrote:
> Hi
> I use mod_security (1.8.7) with SecFilterScanPOST set to "on" to filter POST
> variables.
 >
 > ...
> 
> Here is a basic configuration :
> ...
> SecFilterEngine On
> SecFilterDefaultAction "deny,log,status:403"
> SecFilterCheckURLEncoding On
> SecFilterForceByteRange 1 255
> SecAuditEngine RelevantOnly
> SecFilterDebugLog /var/log/apache2/modsec_debug_log
> SecFilterDebugLevel 2
> SecFilterScanPOST On
> 
> <Location /app/login.cfm>
> #Check for POST method only
> SecFilterSelective REQUEST_METHOD !^POST$
> SecFilterSelective ARG_VAR1 !^value1$
> SecFilterSelective ARG_VAR2 !^value2$
> </Location>
> ...
 >
> curl -d "VAR1=value1" http://site.com/app/login.cfm
> -> strange behavior : request accepted and the log is
 >
 > ...
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jinn Koriech | 17 Oct 01:04

mod-security, SecChroot & suexec

Hi all,

Trying to get Apache2 running with mod-security-1.8.7 and suexec in a 
chroot jail on Debian Sarge.  From the changelog it appears this should 
be possible.  Other than that I haven't managed to find any notes on how 
to achieve this on google.  Hopefully modsecurity is the place to ask 
this question?  suexec doesn't have any config options other than 
setting the user/group - and the compile time options don't appear to be 
causing any problems.

I have tested this testenv script from TWiki in 3 scenarios.  I am 
trying to keep my general configs reasonably simple for now until I get 
it working.

1. Apache2 with suexec.  No chroot.  Everything works fine.

2. Apache2 with SecChrootDir.  No suexec.  Works fine, but the script 
doesn't appear to see the UID it is running as.

3. Apache2 with SecChrootDir plus suexec.  The requires generates a 500 
error and the only logs apparent are:

*** /etc/apache2/logs/suexec.log ***
[2005-10-16 19:47:05]: crit: invalid uid: (33)

*** vhost_log ***
[Sun Oct 16 19:47:05 2005] [error] [client w.x.y.z] Premature end of 
script headers: testenv

The UID 33 is www-data on Debian Sarge - this is the user Apache2 is
(Continue reading)

Permalink | Reply | 7 comments |

Gmane