headers
Mike Yrabedra | 1 Oct 16:12
Favicon

Install on Mac OS X Server?

Anyone been able to get MS installed on Mac OS X Server 10.5.x ?

I was able to get pcre and lua without issue, but the modsecurity 'make'
fails. I can't recall the error message (I know, I know, idiot!), but
wondered if anyone knows the trick to getting this thing built.

Anyone at breach able to help?

--

-- 
Mike B^)>

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 0 comments |
headers
Ryan Kogelheide | 2 Oct 00:13
Picon

Core Rules missing?

Is it my imagination or are the Core Rules no longer available? 

I could be hallucinating. It's been known to happen.

The main ModSecurity link to the core rules points to the project page which 
points to breach's download which doesn't seem to have the rules anywhere.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 2 Oct 06:03
Picon

Re: Core Rules missing?

The standalone distribution was moved away by mistake; it's back now.

On Wed, Oct 1, 2008 at 11:13 PM, Ryan Kogelheide
<ryan.kogelheide <at> gmail.com> wrote:
> Is it my imagination or are the Core Rules no longer available?
>
> I could be hallucinating. It's been known to happen.
>
> The main ModSecurity link to the core rules points to the project page which
> points to breach's download which doesn't seem to have the rules anywhere.
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
(Continue reading)

Permalink | Reply | 0 comments |
headers
Marc Stern | 2 Oct 12:26
Picon
Favicon

Anti-evasion filter available - vulnerability with command injection

Hello,

When trying go block some shell commands ("command/c", "rm -rf", etc.), there are very easy ways to totally evade any rule you wrote, by escaping some characters, or by using other separators than traditional spaces.

Some examples are
  c^ommand /c ...
  "command" /c ...
  command,/c ...
  rm \-rf

I wrote a ModSecurity filter (I guess this the first published one :-0) that normalises a string for check against a command-line pattern.
It supports all evasion techniques I (and Brian from Breach, thanks) found for Windows and Unix shell scripts.
This filter is used in production from several months, but I had to wait until all my customers implemented it before releasing the vulnerability.

This filter avoids this problem by
    * deleting all backslashes [\]
    * deleting all double quotes ["]
    * deleting all sigle quotes [']
    * deleting all carets [^]
    * deleting spaces before a slash [/]
    * deleting spaces before an open parentesis [(]
    * replacing all commas [,] and semicolon [;] into a space
    * replacing all multiple spaces (including tab, newline, etc.) into one space
    * transform all characters to lowercase

Usage: t:cmdLine

Ex: SecRule ARGS "(?:command(?:\.com)?|cmd(?:\.exe)?)(?:/.*)?/[ck]" "phase:2,t:none,t:cmdLine"


It is available for download on http://www.approach.be/security-modsecurity.html
The package contains source code, binaries for Win32 (compiled with Visual C++ 6.0), and documentation.

Do not hesitate to give any feedback, or send additional escape sequences you would find.

Regards

Marc
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 1 comment |
headers
Come_Again Come_Again | 2 Oct 16:29
Picon
Gravatar

Failed to access DBM file


My apache errorlog file is full with this kind of errors:

[Thu Oct 02 16:14:20 2008] [error] [client 77.161.197.138] ModSecurity: Failed to access DBM file
"/var/log/modsecurity/data/resource": Permission denied [hostname "www.mydomain.com"] [uri
"/forum/index.php/topic,343178.30.html"] [unique_id "1Tmxkn8AAQEAACqYoCgAAAAJ"]

For testing I've made this directory /var/log/modsecurity/data/ rwx for uga, but to no avail. I'm still
getting this error.

I'm running Ubunty Hardy and I've also tried to disable AppArmor but still i'm getting this error.
_________________________________________________________________
De mooiste afbeeldingen van Angelina Jolie vind je met Live Search
http://search.live.com/images/results.aspx?q=angelina%20jolie&FORM=MIINTM
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 2 comments |
headers
Ivan Ristic | 2 Oct 16:40
Picon

Re: SQL Injection that slipped past ModSecurity

Thanks for your submission, Ray.

I will look into it and get back to you.

On Wed, Sep 24, 2008 at 9:53 PM, Ray <rpesek <at> hotmail.com> wrote:
> http://<URL>/instaboard/index.cfm?frmid=1%20AND%20u.userid%20IN%20(select%20userid%20from%20users);
>
> I have another device that looks at traffic that gets past ModSecurity.
> During a recent pen test the above code slipped past ModSecurity 2.5.6.
> using the Core Rule Set v1.6.1.
>
> I figured I should post it in case it indicates a weakness in the core rule
> set.
>
> FWIW,
>
> Ray
>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 1 comment |
headers
Brian Rectanus | 2 Oct 17:36

Re: Failed to access DBM file

Come_Again Come_Again wrote:
> 
> My apache errorlog file is full with this kind of errors:
> 
> [Thu Oct 02 16:14:20 2008] [error] [client 77.161.197.138] ModSecurity:
> Failed to access DBM file "/var/log/modsecurity/data/resource":
> Permission denied [hostname "www.mydomain.com"] [uri
> "/forum/index.php/topic,343178.30.html"] [unique_id
> "1Tmxkn8AAQEAACqYoCgAAAAJ"]
> 
> 
> For testing I've made this directory /var/log/modsecurity/data/ rwx for
> uga, but to no avail. I'm still getting this error.
> 
> I'm running Ubunty Hardy and I've also tried to disable AppArmor but
> still i'm getting this error.

You should try to do the following, which will verify access is correct
or you will get an error:

$ sudo su - www-data
$ cd /var/log/modsecurity/data \
  && touch resource.pag \
  && touch resource.dir

In short, the www-data (or whatever user you are using to run apache)
will need at a bare minimum of +x for all paths up to
/var/log/modsecurity and +rwx on /var/log/modsecurity/data.

Typically, it would be o+x for paths up to /var/log/modsecurity and 2770
(rwxrws---) to /var/log/modsecurity/data with a www-data group.

If you are using chroot, then those will be in the jail.

If that still is not working, then I'll need some context as there are a
few places in the code you can get that error.  Please send to me privately:

1) ModSecurity version
2) Complete level 9 debug output showing a few of these errors (sanitize
it first if need be)
3) Need to see permissions on all paths and files:

ls -lad /var
ls -lad /var/log
ls -lad /var/log/modsecurity
ls -lad /var/log/modsecurity/data
ls -la /var/log/modsecurity/data/

thanks,
-B

--

-- 
Brian Rectanus
Breach Security

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 1 comment |
headers
Ryan Barnett | 2 Oct 18:33

Re: SQL Injection that slipped past ModSecurity

-----Original Message-----
From: Ray [mailto:rpesek <at> hotmail.com]
Sent: Wednesday, September 24, 2008 4:53 PM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] SQL Injection that slipped past ModSecurity

 

http://<URL>/instaboard/index.cfm?frmid=1%20AND%20u.userid%20IN%20(select%20userid%20from%20users);

 

I have another device that looks at traffic that gets past ModSecurity.

During a recent pen test the above code slipped past ModSecurity 2.5.6.

using the Core Rule Set v1.6.1.

 

I figured I should post it in case it indicates a weakness in the core rule

set.

[Ryan Barnett] Thanks for the note.  In looking at this specific example, it looks as though Core Rule ID 950001 (SQL Injection) is being a bit too specific as it is looking for "select" followed by "from" then followed by "where" (RegEx section bolded below, if you have html enabled email) -

 

(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\ <at> \ <at> |cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\ <at> \ <at> version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')

 

[Ryan Barnett] In your example the "where" was omitted and still likely functioned as a legit SQL query.  You could try and delete the “\bwhere” portion to address your issue and it should work.

 

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Come_Again Come_Again | 2 Oct 19:17
Picon
Gravatar

Persistant Storage

What exactly can you do with this feature and how do you use this?
 
Link to User Guide:
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/modsecurity2-apache-reference.html#N11A88
 
 

Chat met al je vrienden. Nodig ze nu uit voor Messenger! 
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Permalink | Reply | 0 comments |
headers
Ray | 2 Oct 22:35
Picon

Re: SQL Injection that slipped past ModSecurity

The good news is 2,844 attacks got stopped. :-)

The only thing that got through other than this one were checks for specific 
application paths.

Ray

"Ivan Ristic" <ivan.ristic <at> gmail.com> wrote in message 
news:1f9222b70810020740v4a217180n48ecb8ecab7b2f8a <at> mail.gmail.com...
> Thanks for your submission, Ray.
>
> I will look into it and get back to you.
>
>
> On Wed, Sep 24, 2008 at 9:53 PM, Ray <rpesek <at> hotmail.com> wrote:
>> http://<URL>/instaboard/index.cfm?frmid=1%20AND%20u.userid%20IN%20(select%20userid%20from%20users);
>>
>> I have another device that looks at traffic that gets past ModSecurity.
>> During a recent pen test the above code slipped past ModSecurity 2.5.6.
>> using the Core Rule Set v1.6.1.
>>
>> I figured I should post it in case it indicates a weakness in the core 
>> rule
>> set.
>>
>> FWIW,
>>
>> Ray
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's 
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win great 
>> prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the 
>> world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>
>
>
>
> -- 
> Ivan Ristic
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's 
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great 
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the 
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/ 

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Permalink | Reply | 0 comments |

Gmane