RE: mod_security + webmail + body message

Thanks to both!!

I am going to continue making tests with your indications.

According to the table 12-1 of the book of Ivan, I believe that THE_REQUEST=REQUEST_METOD + REQUEST_URI +
REQUEST_PROTOCOL. 

As he would be formulates it for POST_PAYLOAD?
As it is the result of POST_PAYLOAD - THE_REQUEST?

 Some reference to know more on headers HTTP? 

Many thanks for you help.

Tomás Hidalgo Salvador
thidalgo <at> tecnologia.cajamar.es
Dpto. Sistemas Unix
Tlf.: 2333
DSF Almariya

-----Mensaje original-----
De: Ivan Ristic [mailto:ivanr <at> webkreator.com] 
Enviado el: sábado, 29 de octubre de 2005 21:09
Para: Ryan Barnett
CC: Tomas Hidalgo Salvador; mod-security-users <at> lists.sourceforge.net
Asunto: Re: [mod-security-users] mod_security + webmail + body message

Ryan Barnett wrote:
> Tomas - Welcome to my world :)  I have been using Apache/Mod_Security as
> a reverse proxy for Microsoft's Outlook Web Access and have run this

Directive SecUploadApproveScript

Add SCRIPT_NAME to known CGI variables?

I was looking for a CGI variable which contained only the path of the script
called in the URI, minus the DOCUMENT_ROOT.  Apparently both
REQUEST_FILENAME and SCRIPT_FILENAME are the full script path on the server,
and the only CGI variable I can find that would be those, minus the
DOCUMENT_ROOT, is SCRIPT_NAME, but it isn't accepted (1.9RC1 being used).

Is there any reason this CGI variable is not allowed in mod_security?  If so
what is it?  If not, would a patch submitted adding it be accepted (pending
proper coding techniques and testing obviously)?

Eli.

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Re: Add SCRIPT_NAME to known CGI variables?

Eli wrote:
> I was looking for a CGI variable which contained only the path of the script
> called in the URI, minus the DOCUMENT_ROOT.  Apparently both
> REQUEST_FILENAME and SCRIPT_FILENAME are the full script path on the server,
> and the only CGI variable I can find that would be those, minus the
> DOCUMENT_ROOT, is SCRIPT_NAME, but it isn't accepted (1.9RC1 being used).
> 
> Is there any reason this CGI variable is not allowed in mod_security?

  There is no particular reason for that - I simply missed the variable. I'll
  add it to the TODO list for the next release.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Re: Directive SecUploadApproveScript

Tomas Hidalgo Salvador wrote:
>
> This work fine:
> 
> SecUploadApproveScript /usr/local/apache2/bin/verify_upload_webmail.pl
> 
> But, this not work fine:
> 
> SecUploadApproveScript
> /usr/local/apache2/bin/verificar_upload_webmail.pl  “log,pass”
> 
> The error:
>
> Syntax error on line 32 of /usr/local/apache2/conf/mod-security.conf:
> SecUploadApproveScript takes one argument, The path to the script that
> will be called to approve every uploaded file
> 
> How I can control the default action with SecUploadApproveScript?
> 
> I would like to warn the user that its file is infected by virus.

  SecUploadApproveScript does not support a custom action list yet.
  (I've added your request to my TODO list too).

  Try something like this (just an idea, I haven't tried it myself):

  <Location /path/to/your/upload/script>
      SecFilterDefaultAction ...
      SecUploadApproveScript ...
  </Location>

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Re: Supressing Warning (chained rule)" in the log ?

Ivan Ristic wrote:
> Steffen wrote:
> 
>> Searched in the docu, but could not find an answer.
>>
>> It it possible not to log in the Apache error.log the "Warning
>> (chained rule)" entries?
>>
>> eg.:
>>
>> [Thu Oct 20 10:09:16 2005] [error] [client 63.196.49.252]
>> mod_security: Warning (chained rule). Pattern match "!^(GET|HEAD)$" at
>> REQUEST_METHOD [hostname "www.apachelounge.com"] [uri "/mail/web.cgi"]
> 
>  You should be able to add "nolog" to the rule to supress it.

   But this approach has some unexpected side-effects. If a rule
   after the one with "nolog" triggers the request will not be
   recorded in the audit log. Although further attempts can be
   made (with "auditlog") to restore this functionality, I have
   decided to simply move the above warning to level 3 (from
   level 1). This works as of 1.9RC4.

   I don't expect any more RC releases so maybe you should not
   upgrade to 1.9RC4. 1.9 stable will be released over the weekend.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Re: mod_security + webmail + body message

Tomas Hidalgo Salvador wrote:
> Thanks to both!!
> 
> I am going to continue making tests with your indications.
> 
> According to the table 12-1 of the book of Ivan, I believe
> that THE_REQUEST=REQUEST_METOD + REQUEST_URI + REQUEST_PROTOCOL.

  Yes, but it's the other way round. REQUEST_METHOD, REQUEST_URI
  and REQUEST_PROTOCOL are created out of THE_REQUEST.

> As he would be formulates it for POST_PAYLOAD?
> As it is the result of POST_PAYLOAD - THE_REQUEST?

  Can you please rephrase the question? I am not sure I understand it.

>  Some reference to know more on headers HTTP? 

  How about the HTTP 1.1 RFC?

  http://www.ietf.org/rfc/rfc2616.txt

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Filtering 404's and 500's

Hi,

On a reverse proxy, I'm trying to filter HTTP 404 and HTTP 500 errors.

I'm using the following rule :
SecFilterSelective OUTPUT "HTTP\/(0\.9|1\.0|1\.1) 404 Not Found"
and the 500 one is similar.

I've tried a few other ones, but this one looks fine to me.

It doesn't work, why ?
Could it be that the headers are not part of "OUTPUT" ?

Sincerely,

Philippe Bourcier

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Re: Filtering 404's and 500's

Philippe Bourcier wrote:
> 
> Hi,
> 
> On a reverse proxy, I'm trying to filter HTTP 404 and HTTP 500 errors.
> 
> I'm using the following rule :
> SecFilterSelective OUTPUT "HTTP\/(0\.9|1\.0|1\.1) 404 Not Found"
> and the 500 one is similar.
> 
> I've tried a few other ones, but this one looks fine to me.
> 
> It doesn't work, why ?
> Could it be that the headers are not part of "OUTPUT" ?

  That's exactly why.

  In 1.9 there is a new variable OUTPUT_STATUS. It contains only
  the response code. Try using that.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

mod_security status 200

Hi,

I would like to set up my Apache 2.0.55 (with mod_security 1.8.7) to
return a 200 OK for every single request that is made to a non-existing
page.
How can I do this ?
(or do I need to use mod_rewrite for this)

thanks

P

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php