headers
Ryan Barnett | 1 Jun 13:54

Re: Apache 2.2 and URL encoding

I got an email from Christian that pointed out some other scenarios where you could still run into problems with a single percent sign.  So, here is an updated Ruleset (with an updated RegEx) that should work for this issue.  Keep in mind that this is NOT an official Core Rules update as of yet and will still need to be QA’ed before being included in the rule archive.  My initial tests, however, showed this to work.

 

# Check decodings

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer " <at> validateUrlEncoding" \

        "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

 

This will also allow the % sign to be followed by a non-alphanumeric character (so a whitespace, \r and \n should be fine).  This would allow for text strings like this – “Today’s special is 50% off!”

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: Ryan Barnett
Sent: Thursday, May 31, 2007 6:12 PM
To: Don; Christian Bockermann
Cc: mod-security-users <at> lists.sourceforge.net
Subject: RE: [mod-security-users] Apache 2.2 and URL encoding

 

A few points to clear up –

 

1) The issue with the RegEx in rule ID 950107 has been identified previously and we have a fix.  It will be included in future releases of the Core Rules. I am including it here for you to test/use immediately –

 

# Check decodings

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer " <at> validateUrlEncoding" \

        "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?!$|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

 

The main difference with the rule is that we added “$|” to the alternation string so that it will all a single “%” that does not have any data after it until the end of the line.  This is normally not an issue as the single % signs that are seeing seem to be placeholders for certain variable values.  So, when Mod parses and inspects ARGS, the variable in question (such as your example INPUT1=%25) will pass this rule.

 

2) Yeah, this RegEx can been a bit misleading and non-obvious for interpreting what it is actually doing (as Christian pointed out).  The bang symbol “!” is doing an inversion but it is for the entire parentheses grouping and not just the first portion.

 

3) As to why your SecRuleRemoveById didn’t work, here is the relevant section from my Blog post (http://www.modsecurity.org/blog/archives/2007/02/handling_false.html) on handling false positives –

 

Adding new negative policy rules  

If you need to add new negative policy rules, such as when you need to update a Core Rule that is causing a false positive, you should add these rules to a new rule file that come AFTER all of the other Core Rules. Call this new file something like – modsecurity_crs_60_customrules.conf. Just make sure that number in the filename is higher than any other rules file so it is read last. The rationale for placing these types of rules after the other rules is that you can then match up these new replacement rules with corresponding SecRuleRemoveByID directives that will then disable the specific Core Rule(s) that are causing False Positives. It is important to note that you need to use SecRuleRemoveById AFTER ModSecurity has knowledge of the Rule ID you are actually removing. If you were to place this directive in the modsecurity_crs_15_customrules.conf file, it would not work correctly as the rule ID you are specifying does not exist yet. That is why this directive should be called up in your custom rules file that comes at the end. Using this method allows you to turn off rules without having to actually go into the Core Rules files and comment out or update specific rules.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Don
Sent: Thursday, May 31, 2007 5:52 PM
To: Christian Bockermann
Cc: mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Apache 2.2 and URL encoding

 

These are the core rules. I have not modified them at all. I am new to mod security. Do I need to change something?

Thanks,
Don

Christian Bockermann wrote:

I'd see this as a bug in the core-rules. The rule 950107 is checking ARGS by using
validateURLencoding. As far as I see, the encoding is clean. The only thing, which
is alerted by the rule is your parameter "INPUT1" holding the string "%". When
using double-url-encoding in your app this could become dangerous.

To me it looks as if the pattern of the rule was applied against the __urldecoded__
argument (that is against "%" but not "%25", possibly the t:urldecode was inherited?).

The pattern says, that after "%" [0-9a-fA-F]{2} must follow.

Or am I missing anything?

Regards,
    Chris


P.S.: Looking at the pattern for a little longer makes me curious:

    \%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})

alerts, if "%" is followed by something that ( is NOT [0-9a-fA-F]{2} )
OR that IS u[0-9a-fA-F]{4}, right?

Shouldn't this be like

    \%?!([0-9a-fA-F]{2}|u[0-9a-fA-F]{4})

that is to be meant as

     IF NOT  (  [0-9a-fA-F]{2}  OR  u[0-9a-fA-F]{4}  )



Am 31.05.2007 um 21:42 schrieb Don:

Hi,

I have an Apache Lounge version of apache 2.2 with mod security 2.1.1
on a Windows XP PC. I am running a C++ cgi application that uses url
encoding. I am using the core rules that came with mod security. Since I
am using url encoding in my program, I am getting a Bad Response error. In the error log
I have:
[Tue May 22 12:51:04 2007] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 2).
Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:INPUT1. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"]
[severity "WARNING"] [hostname "localhost"] [uri "/cgi-bin/ttgxxx.exe/SearchIt?DBNAME=200703xxxxxx&NEWUSER=xxxx
&CODE=xxxx&DBALIAS=MAR%2B2007%2BB%2BOF%2BA%2BLOCKBOXES
&STARTSESSION=5%2F22%2F2007%2B12%3A50%3A51%2BPM
&R1=V1&INPUT1=%25&SUBMIT.x=23&SUBMIT.y=12&SUBMIT=SEARCH"] [unique_id "XrASOwpYJAQAAADQDDkAAAD5"]

I have tried overriding this rule as per the mod security help file. I
created a file named modsecurity_crs_15_customrules.conf and added the
following to try to override the rule.

SecRuleRemoveByID "960901"
SecRuleRemoveByID "950107"
SecRuleRemoveByMsg "URL Encoding Abuse Attack Attempt"

This seems to have no effect at all and I continue to get the Bad Response error.

Thanks for any assistance with this.

Don
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users




--No virus found in this incoming message.
Checked by AVG Free Edition.Version: 7.5.472 / Virus Database: 269.8.4/825 - Release Date: 5/30/2007 3:03 PM 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 1 comment |
headers
Christian Folini | 1 Jun 14:25
Picon

Release of Remo 0.2.0 Beta

Dear all,

Remo 0.2.0 beta has been released. This is the
first beta release of Remo.
See the website at http://remo.netnea.com.

Remo stands for "Rule Editor for ModSecurity". It's a
project, attempting to
 - Bring easier configuration to ModSecurity.
 - Make a whitelist/positive security model feasible for
   ModSecurity deployments.

This new release brings the following new features:
 - Import ModSecurity audit-logs.
 - Match individual requests in the audit-log against the
   active ruleset in the edit-area and see wether the 
   rules will work in practice.
 - Rails is being distributed as a part of Remo. This makes
   the installation straight forward.

With this release, Remo brings the functionality you need to
write a practical whitelist ruleset for your online application.
It is a beta release and there are some glitches, but I have
worked with Remo as a tool for several days and it does work.

As previously, the new release can be found on the demo site at:
http://remo.netnea.com/demo/main/index
You can get your feet wet there without the need to install 
Remo locally.

In case you think this is done, there are some open issues,
that would profit from your help: 
See http://remo.netnea.com/twiki/bin/view/Main/FeatureRequests
for these.

best regards,

Christian Folini

--
christian.folini <at> netnea.com          -        http://www.netnea.com
ModSecurity and mod_security are trademarks of Breach Security, Inc.
netnea.com is not affiliated with Breach Security, Inc.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 0 comments |
headers
blaster | 1 Jun 15:46

Umlaut and modsecurity-core-rules_2.1-1.4

Hi,

we are using mod_security (modsecurity-apache_2.1.1) and it works fine so far.

But every URL posting, which is containing umlaut (ö,ü,ä) is blocked.

Is this behaviour of the core ruleset wanted?

Or is there a global way to disable blocking of umlaut?

Thanks in advance,
please find the log attached.

Regards,
Thomas

UTF8 Encoding Abuse Attack Attempt    Access denied with code 400 (phase 2). 
Invalid Unicode encoding: invalid byte value in character.

Request Details
POST /main.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-
shockw \
ave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, 
application/m \
sword, */*
Referer: http://www.lacopa-cabana.com/main.php?
show=gbook&owner=&showaddnew=&star \
t=40
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET 
C \
LR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: www.lacopa-cabana.com
Content-Length: 105
Pragma: no-cache
Via: 1.0 innkdi95v:8080 (IWSS)
Connection: Keep-Alive

newentry=y&show=gbook&ic=e.gif&cname=Tom&cmail=noemail <at> tom.de&curl=&message=Dank
 \
e+f%FCr+den+netten+Abend.  

Response Details
HTTP/1.1 400 Bad Request
Content-Length: 312
Connection: close
Content-Type: text/html; charset=iso-8859-1 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 5 comments |
headers
Don Parker | 1 Jun 17:15
Picon
Favicon

Re: Apache 2.2 and URL encoding

Thanks for all of the input! I will try this tonight.

Thanks,
Don

Ryan Barnett wrote:

I got an email from Christian that pointed out some other scenarios where you could still run into problems with a single percent sign.  So, here is an updated Ruleset (with an updated RegEx) that should work for this issue.  Keep in mind that this is NOT an official Core Rules update as of yet and will still need to be QA’ed before being included in the rule archive.  My initial tests, however, showed this to work.

 

# Check decodings

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer " <at> validateUrlEncoding" \

        "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

 

This will also allow the % sign to be followed by a non-alphanumeric character (so a whitespace, \r and \n should be fine).  This would allow for text strings like this – “Today’s special is 50% off!”

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: Ryan Barnett
Sent: Thursday, May 31, 2007 6:12 PM
To: Don; Christian Bockermann
Cc: mod-security-users <at> lists.sourceforge.net
Subject: RE: [mod-security-users] Apache 2.2 and URL encoding

 

A few points to clear up –

 

1) The issue with the RegEx in rule ID 950107 has been identified previously and we have a fix.  It will be included in future releases of the Core Rules. I am including it here for you to test/use immediately –

 

# Check decodings

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer " <at> validateUrlEncoding" \

        "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?!$|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

 

The main difference with the rule is that we added “$|” to the alternation string so that it will all a single “%” that does not have any data after it until the end of the line.  This is normally not an issue as the single % signs that are seeing seem to be placeholders for certain variable values.  So, when Mod parses and inspects ARGS, the variable in question (such as your example INPUT1=%25) will pass this rule.

 

2) Yeah, this RegEx can been a bit misleading and non-obvious for interpreting what it is actually doing (as Christian pointed out).  The bang symbol “!” is doing an inversion but it is for the entire parentheses grouping and not just the first portion.

 

3) As to why your SecRuleRemoveById didn’t work, here is the relevant section from my Blog post (http://www.modsecurity.org/blog/archives/2007/02/handling_false.html) on handling false positives –

 

Adding new negative policy rules  

If you need to add new negative policy rules, such as when you need to update a Core Rule that is causing a false positive, you should add these rules to a new rule file that come AFTER all of the other Core Rules. Call this new file something like – modsecurity_crs_60_customrules.conf. Just make sure that number in the filename is higher than any other rules file so it is read last. The rationale for placing these types of rules after the other rules is that you can then match up these new replacement rules with corresponding SecRuleRemoveByID directives that will then disable the specific Core Rule(s) that are causing False Positives. It is important to note that you need to use SecRuleRemoveById AFTER ModSecurity has knowledge of the Rule ID you are actually removing. If you were to place this directive in the modsecurity_crs_15_customrules.conf file, it would not work correctly as the rule ID you are specifying does not exist yet. That is why this directive should be called up in your custom rules file that comes at the end. Using this method allows you to turn off rules without having to actually go into the Core Rules files and comment out or update specific rules.

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Don
Sent: Thursday, May 31, 2007 5:52 PM
To: Christian Bockermann
Cc: mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] Apache 2.2 and URL encoding

 

These are the core rules. I have not modified them at all. I am new to mod security. Do I need to change something?

Thanks,
Don

Christian Bockermann wrote:

I'd see this as a bug in the core-rules. The rule 950107 is checking ARGS by using
validateURLencoding. As far as I see, the encoding is clean. The only thing, which
is alerted by the rule is your parameter "INPUT1" holding the string "%". When
using double-url-encoding in your app this could become dangerous.

To me it looks as if the pattern of the rule was applied against the __urldecoded__
argument (that is against "%" but not "%25", possibly the t:urldecode was inherited?).

The pattern says, that after "%" [0-9a-fA-F]{2} must follow.

Or am I missing anything?

Regards,
    Chris


P.S.: Looking at the pattern for a little longer makes me curious:

    \%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})

alerts, if "%" is followed by something that ( is NOT [0-9a-fA-F]{2} )
OR that IS u[0-9a-fA-F]{4}, right?

Shouldn't this be like

    \%?!([0-9a-fA-F]{2}|u[0-9a-fA-F]{4})

that is to be meant as

     IF NOT  (  [0-9a-fA-F]{2}  OR  u[0-9a-fA-F]{4}  )



Am 31.05.2007 um 21:42 schrieb Don:

Hi,

I have an Apache Lounge version of apache 2.2 with mod security 2.1.1
on a Windows XP PC. I am running a C++ cgi application that uses url
encoding. I am using the core rules that came with mod security. Since I
am using url encoding in my program, I am getting a Bad Response error. In the error log
I have:
[Tue May 22 12:51:04 2007] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 2).
Pattern match "\\\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:INPUT1. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"]
[severity "WARNING"] [hostname "localhost"] [uri "/cgi-bin/ttgxxx.exe/SearchIt?DBNAME=200703xxxxxx&NEWUSER=xxxx
&CODE=xxxx&DBALIAS=MAR%2B2007%2BB%2BOF%2BA%2BLOCKBOXES
&STARTSESSION=5%2F22%2F2007%2B12%3A50%3A51%2BPM
&R1=V1&INPUT1=%25&SUBMIT.x=23&SUBMIT.y=12&SUBMIT=SEARCH"] [unique_id "XrASOwpYJAQAAADQDDkAAAD5"]

I have tried overriding this rule as per the mod security help file. I
created a file named modsecurity_crs_15_customrules.conf and added the
following to try to override the rule.

SecRuleRemoveByID "960901"
SecRuleRemoveByID "950107"
SecRuleRemoveByMsg "URL Encoding Abuse Attack Attempt"

This seems to have no effect at all and I continue to get the Bad Response error.

Thanks for any assistance with this.

Don
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users




--No virus found in this incoming message.
Checked by AVG Free Edition.Version: 7.5.472 / Virus Database: 269.8.4/825 - Release Date: 5/30/2007 3:03 PM 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Christian Bockermann | 1 Jun 16:30

Re: Umlaut and modsecurity-core-rules_2.1-1.4

Hi!

The problem is that the validateUTF8 checks a string that is not utf8- 
encoded.
What you have in your post-payload is a string that contains ISO-8859  
data,
which taken as binary data and sent to your server in urlEncoded form.

%FC is "ü" in ISO-8859-1 but in UTF-8 the %FC indicates a multi-byte  
character.

If you're using the core rules, I'd see this as a bug in the core- 
rules. You
could simply remove the appopriate rule for the urls where it results  
in false
positives. Given, that your rule has an ID of 1234 set, the following  
should
disable the rule for /main.php (to be specified in the config AFTER  
the rule
has been defined).

   <LocationMatch "/main.php">
       SecRemoveRuleByID 1234
   </LocationMatch>

Regards,
     Chris

Am 01.06.2007 um 15:46 schrieb blaster <at> kofler.eu.org:

> Hi,
>
> we are using mod_security (modsecurity-apache_2.1.1) and it works  
> fine so far.
>
> But every URL posting, which is containing umlaut (ö,ü,ä) is blocked.
>
> Is this behaviour of the core ruleset wanted?
>
> Or is there a global way to disable blocking of umlaut?
>
> Thanks in advance,
> please find the log attached.
>
> Regards,
> Thomas
>
> UTF8 Encoding Abuse Attack Attempt    Access denied with code 400  
> (phase 2).
> Invalid Unicode encoding: invalid byte value in character.
>
> Request Details
> POST /main.php HTTP/1.0
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
> application/x-
> shockw \
> ave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint,
> application/m \
> sword, */*
> Referer: http://www.lacopa-cabana.com/main.php?
> show=gbook&owner=&showaddnew=&star \
> t=40
> Accept-Language: de
> Content-Type: application/x-www-form-urlencoded
> UA-CPU: x86
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;  
> InfoPath.1; .NET
> C \
> LR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
> Host: www.lacopa-cabana.com
> Content-Length: 105
> Pragma: no-cache
> Via: 1.0 innkdi95v:8080 (IWSS)
> Connection: Keep-Alive
>
>
> newentry=y&show=gbook&ic=e.gif&cname=Tom&cmail=noemail <at> tom.de&curl=&me 
> ssage=Dank
>  \
> e+f%FCr+den+netten+Abend.
>
> Response Details
> HTTP/1.1 400 Bad Request
> Content-Length: 312
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
>
>
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 4 comments |
headers
Gonen Radai | 2 Jun 10:35
Picon

how to exclude full site, without using <virtualhost> ?

Hi,


I have a specific virtual host that i would like to exclude totally (all phases and no log).

I tried the "SecRuleInheritance Off" in my exclude.conf file with <directory>, but i still see a lot of entries in the log.


I read in the documentation that "SecRuleInheritance Off" should be in <virtualhost> in order  to

exclude all rules - including phase 1.


What can i use, outside <virtualhost> in order to fully exclude site, and not log it at all ?


The reason i don't want to use "SecRuleInheritance Off" in <virtualhost> is that i want to keep

all modsecurity2 rules in one place so it will be easier for me to track and manage.


Thanks,

Gonen. 


-- -- If you can't read my mail, try changing encoding to UTF-8. Gonen.
Attachment (smime.p7s): application/x-pkcs7-signature, 3237 bytes
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 501 comments |
headers
blaster | 2 Jun 11:55

Re: Umlaut and modsecurity-core-rules_2.1-1.4

Hi,

thanks a lot for the fast and excellent response. In the meantime I will use
the LocationMatch directive.
I use the plain core rules for implementing. Can I somewhere file a bug
regarding the umlaut behavior?

Regards,
Thomas

-----Ursprüngliche Nachricht-----
Von: Christian Bockermann [mailto:chris <at> jwall.org] 
Gesendet: Freitag, 1. Juni 2007 16:30
An: blaster <at> kofler.eu.org
Cc: mod-security-users <at> lists.sourceforge.net
Betreff: Re: [mod-security-users] Umlaut and modsecurity-core-rules_2.1-1.4

Hi!

The problem is that the validateUTF8 checks a string that is not utf8- 
encoded.
What you have in your post-payload is a string that contains ISO-8859  
data,
which taken as binary data and sent to your server in urlEncoded form.

%FC is "ü" in ISO-8859-1 but in UTF-8 the %FC indicates a multi-byte  
character.

If you're using the core rules, I'd see this as a bug in the core- 
rules. You
could simply remove the appopriate rule for the urls where it results  
in false
positives. Given, that your rule has an ID of 1234 set, the following  
should
disable the rule for /main.php (to be specified in the config AFTER  
the rule
has been defined).

   <LocationMatch "/main.php">
       SecRemoveRuleByID 1234
   </LocationMatch>

Regards,
     Chris

Am 01.06.2007 um 15:46 schrieb blaster <at> kofler.eu.org:

> Hi,
>
> we are using mod_security (modsecurity-apache_2.1.1) and it works  
> fine so far.
>
> But every URL posting, which is containing umlaut (ö,ü,ä) is blocked.
>
> Is this behaviour of the core ruleset wanted?
>
> Or is there a global way to disable blocking of umlaut?
>
> Thanks in advance,
> please find the log attached.
>
> Regards,
> Thomas
>
> UTF8 Encoding Abuse Attack Attempt    Access denied with code 400  
> (phase 2).
> Invalid Unicode encoding: invalid byte value in character.
>
> Request Details
> POST /main.php HTTP/1.0
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
> application/x-
> shockw \
> ave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint,
> application/m \
> sword, */*
> Referer: http://www.lacopa-cabana.com/main.php?
> show=gbook&owner=&showaddnew=&star \
> t=40
> Accept-Language: de
> Content-Type: application/x-www-form-urlencoded
> UA-CPU: x86
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;  
> InfoPath.1; .NET
> C \
> LR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
> Host: www.lacopa-cabana.com
> Content-Length: 105
> Pragma: no-cache
> Via: 1.0 innkdi95v:8080 (IWSS)
> Connection: Keep-Alive
>
>
> newentry=y&show=gbook&ic=e.gif&cname=Tom&cmail=noemail <at> tom.de&curl=&me 
> ssage=Dank
>  \
> e+f%FCr+den+netten+Abend.
>
> Response Details
> HTTP/1.1 400 Bad Request
> Content-Length: 312
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
>
>
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 0 comments |
headers
Avi Aminov | 3 Jun 10:45

Re: how to exclude full site, without using <virtualhost> ?

Hi Gonen,

 

If you wish to disable modSec entirely for a particular path and not have any rules instead, you can use:

<directory /exclude>

  SecRuleEngine Off

</directory>

 

This will work only if this exclusion file is loaded AFTER the other rules you apply

 

If the file is loaded BEFORE the other rules, use this instead:

 

SecRule REQUEST_FILENAME "^/directory" "allow,phase:1,nolog,ctl:ruleEngine=Off"

 

Avi

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Gonen Radai
Sent: Saturday, June 02, 2007 11:36 AM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] how to exclude full site,without using <virtualhost> ?

 

Hi,

 

I have a specific virtual host that i would like to exclude totally (all phases and no log).

I tried the "SecRuleInheritance Off" in my exclude.conf file with <directory>, but i still see a lot of entries in the log.

 

I read in the documentation that "SecRuleInheritance Off" should be in <virtualhost> in order  to

exclude all rules - including phase 1.

 

What can i use, outside <virtualhost> in order to fully exclude site, and not log it at all ?

 

The reason i don't want to use "SecRuleInheritance Off" in <virtualhost> is that i want to keep

all modsecurity2 rules in one place so it will be easier for me to track and manage.

 

Thanks,

Gonen. 

 

--

If you can't read my mail, try changing encoding to UTF-8.

Gonen.

 
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 503 comments |
headers
Ryan Barnett | 3 Jun 14:53

Re: how to exclude full site, without using <virtualhost> ?

The other way to disable the Mod rules and logging for a Vhost is to use the Host header info to trigger the rule.  If you have a Vhost with the name “www.foo.com” you can use this –

 

SecRule REQUEST_HEADERS:Host "^www.foo.com$" "allow,phase:1,nolog,ctl:ruleEngine=Off,ctl:AuditEngine=Off"

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

Author: Preventing Web Attacks with Apache

 

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Avi Aminov
Sent: Sunday, June 03, 2007 4:45 AM
To: Gonen Radai
Cc: Mod Security
Subject: Re: [mod-security-users] how to exclude full site,without using <virtualhost> ?

 

Hi Gonen,

 

If you wish to disable modSec entirely for a particular path and not have any rules instead, you can use:

<directory /exclude>

  SecRuleEngine Off

</directory>

 

This will work only if this exclusion file is loaded AFTER the other rules you apply

 

If the file is loaded BEFORE the other rules, use this instead:

 

SecRule REQUEST_FILENAME "^/directory" "allow,phase:1,nolog,ctl:ruleEngine=Off"

 

Avi

 

From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] On Behalf Of Gonen Radai
Sent: Saturday, June 02, 2007 11:36 AM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] how to exclude full site,without using <virtualhost> ?

 

Hi,

 

I have a specific virtual host that i would like to exclude totally (all phases and no log).

I tried the "SecRuleInheritance Off" in my exclude.conf file with <directory>, but i still see a lot of entries in the log.

 

I read in the documentation that "SecRuleInheritance Off" should be in <virtualhost> in order  to

exclude all rules - including phase 1.

 

What can i use, outside <virtualhost> in order to fully exclude site, and not log it at all ?

 

The reason i don't want to use "SecRuleInheritance Off" in <virtualhost> is that i want to keep

all modsecurity2 rules in one place so it will be easier for me to track and manage.

 

Thanks,

Gonen. 

 

--

If you can't read my mail, try changing encoding to UTF-8.

Gonen.

 
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
hanj | 3 Jun 20:47
X-Face
Gravatar

Trouble with phpMyAdmin and mod_sec (getting caught in phase:1)

Hello

I'm having trouble the excluding phpMyAdmin from mod_sec.

I've added the SecRuleInheritance Off and SecRuleEngine Off in the
Directory area of my VirtualHost. This seems to apply to phase:2, but
not phase:1. I'm getting a 400 status when I try to edit a record.

I also tried the SecRule REQUEST_FILENAME and allowing phase:1, but I
continue to get the 400 status.

Here is my modsec_audit.log and below that is a view of my apache
config for that directory. Any suggestions are greatly appreciated.

--816a6d09-A--
[03/Jun/2007:12:37:24 --0600] vVBTC0LbO5UAAD46MaoAAAAA xxx.xxx.xxx.xxx
1359 xxx.xxx.xxx.xxx 443 --816a6d09-B--
GET /phpmyadmin/tbl_change.php?db=mydb&table=data&token=323cf89f3969db1b855a159b9b250bc3&pos=0&session_max_rows=30&disp_direction=horiz
ontal&repeat_cells=100&dontlimitchars=0&primary_key=+%60data%60.%60DataID%60+%3D+702&sql_query=SELECT+%2A+FROM+%60data%60+WHERE+LastName+LIKE+%27%25doe%25%27&goto=sql.php
HTTP/1.1 Host: my.host.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12 Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://my.host.com/phpmyadmin/import.php
Cookie: pmaCookieVer=4; pma_collation_connection=utf8_unicode_ci;
pma_charset=iso-8859-1; pma_lang=en-utf-8;
phpMyAdmin=59f2e047d2c961ff55c85c430aa37934; pma_theme=original;
__utma=219305993.412737841.1170700683.1180815267.1180895728.39;
__utmz=219305993.1176754457.20.6.utmccn=(organic)|utmcsr=google|utmctr
=kylegraybeal.com|utmcmd=organic; __utmc=219305993;
highlightedTreeviewLinkt2=2; clickedFoldert2=1%5E;
PHPSESSID=c81a24712fd95b0067fcdb270cfe710b; SQMSESS
ID=7307a2897ae03f8c480d0282836c3bd9; __utmb=219305993 Authorization:
Basic xxxxxxxxxxx

--816a6d09-F--
HTTP/1.1 400 Bad Request
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

--816a6d09-H--
Message: Access denied with code 400 (phase 1). Pattern match
"\\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:sql_query. [id
"950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity
"WARNING"] Action: Intercepted (phase 1) Stopwatch: 1180895844258571
1489 (- - -) Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache

--816a6d09-Z--

<VirtualHost>
	... blah blah blah
	<Directory /path/to/my.host.com/htdocs/phpmyadmin>
		... blah blah
		<IfModule mod_security2.c>
			SecRuleInheritance Off
			SecRuleEngine Off
			SecRule REQUEST_FILENAME "^/phpmyadmin" \
				"allow,phase:1,nolog,ctl:ruleEngine=Off"
		</IfModule>
	</Directory>
</VirtualHost>

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Permalink | Reply | 3 comments |

Gmane