Variable Expansion for Redirect Action and SecDefaultAction Inheritance

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Variable Expansion for Redirect Action and SecDefaultAction Inheritance

After some testing – it appears that there is a bug here with the combination of macro expansion in
redirect action in a SecDefaultAction when the SecRule that triggers the alert uses the "block" action
(and inherits the disruptive action).  I have opened a JIRA ticket for this issue -
https://www.modsecurity.org/tracker/browse/MODSEC-288

-Ryan

From: Neha Chriss <nchriss <at> gmail.com<mailto:nchriss <at> gmail.com>>
Date: Tue, 31 Jan 2012 19:28:17 -0600
To:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Subject: [mod-security-users] Variable Expansion for Redirect Action and SecDefaultAction Inheritance

Hello,

I would like all of my rules to perform the default action of redirecting to a
custom page on our site. This redirect should supply the requests unique_id. I
thought the best method to do this would be using SecDefaultAction:

SecDefaultAction "setenv:unique_id=%{UNIQUE_ID}, \
phase:2,log,redirect:http://www2.site.com/pm/form.asp?i=3&eID=%{unique_id}

My custom rules that have no action specified work just fine this way,
but if a rule is triggered in any of the coremod security rulesets,
unique_id is not set and while a redirect *is* actually executed,
the %{unique_id} variable is sent as a literal string.

How can I force the %{unique_id} variable to expand on every redirect for all
rules? Is there a better way to accomplish this?

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Magento installer is running forever with mod_security enabled

Hi Guys,

We have just installed a 2.6.3 installation of mod_security on a developement machine. Mod_security
seems to work normally as it should.
But when trying to install (the first screen where you have to agree the license agreement) Magento the
browser keeps "waiting for the host".

* When turning off mod_security it works normally
* even with no rules enabled
* nothing in logs
* SecComponentSignature "core ruleset/2.2.3"
* System: RHEL 6, PHP  + suPHP + suhosin PATCH), Selinux disabled
* Apache proces is eating 100% CPU

Anyone has a clue about this?

- Gerwin

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Magento installer is running forever with mod_security enabled -small update-

Some small update. I also have this problem with the installation of Wordpress and was seeing the following
messages (a LOT):

[02/Feb/2012:15:56:52 +0100]
[example.net/sid#3f15368][rid#41d19c8][/wordpress/wp-admin/setup-config.php][9] Input
filter: Bucket type EOS contains 0 bytes.
[02/Feb/2012:16:01:29 +0100]
[example.net/sid#4091ad0][rid#43499c8][/magento/index.php/install/wizard/beginPost/][9]
Input filter: Bucket type EOS contains 0 bytes.

Hi Guys,

We have just installed a 2.6.3 installation of mod_security on a developement machine. Mod_security
seems to work normally as it should.
But when trying to install (the first screen where you have to agree the license agreement) Magento the
browser keeps "waiting for the host".

* When turning off mod_security it works normally
* even with no rules enabled
* nothing in logs
* SecComponentSignature "core ruleset/2.2.3"
* System: RHEL 6, PHP  + suPHP + suhosin PATCH), Selinux disabled
* Apache proces is eating 100% CPU

Anyone has a clue about this?

- Gerwin

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Magento installer is running forever with mod_security enabled -small update-

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

filter html comments

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: filter html comments

The default PCRE behavior is that a dot character will match any character except a newline (\n).  You should
modify your regex to include (?s) like this -

SecRule STREAM_OUTPUT_BODY "@rsub s/(?s)<!--.*?-->/ /" "phase:4,t:none,nolog,pass"

-Ryan

From: Otto Schlagmichtot <hx2680 <at> yahoo.com<mailto:hx2680 <at> yahoo.com>>
Reply-To: Otto Schlagmichtot <hx2680 <at> yahoo.com<mailto:hx2680 <at> yahoo.com>>
Date: Thu, 2 Feb 2012 15:01:52 -0600
To:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Subject: [mod-security-users] filter html comments

Hi, i want to filter html comments in the response body. So i used this:

SecContentInjection On
SecResponseBodyAccess On
SecStreamOutBodyInspection On
SecRule STREAM_OUTPUT_BODY "@rsub s/<!--.*?-->/ /" "phase:4,t:none,nolog,pass"

This works but not if i have more than one line... for example:
<!—
Bla
Bla
Bal
 -->
and how could i resolve this problem with mod_security 2.5 ?

regards, kai

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Magento installer is running forever with mod_security enabled -small update-

Hi Breno,

I'm using the stock APR version which comes with RHEL 6 
(apr-1.3.9-3.el6_1.2.x86_64). The httpd package
is not the default package from Redhat but from interworx hosting 
panel. Is there a way to check
which APR version apache is using?

On 02.02.2012 17:07, Breno Silva wrote:
> Hi Gerwin,
>
> I saw something similar with APR 1.4.5 if i remember well and when
> you use different APR versions for Apache and ModSec.
>
> Thanks
>
> On Thu, Feb 2, 2012 at 9:05 AM, Gerwin Krist -|- Digitalus Webhosting
> & Webdesign  wrote:
>
>> Some small update. I also have this problem with the installation
> of
>> Wordpress and was seeing the following messages (a LOT):
>>
>> [02/Feb/2012:15:56:52 +0100]
>>
> 
> [example.net/sid#3f15368][rid#41d19c8][/wordpress/wp-admin/setup-config.php][9
>> [1]] Input filter: Bucket type EOS contains 0 bytes.
>> [02/Feb/2012:16:01:29 +0100]
>>
> 
> [example.net/sid#4091ad0][rid#43499c8][/magento/index.php/install/wizard/beginPost/][9
>> [2]] Input filter: Bucket type EOS contains 0 bytes.
>>
>> Hi Guys,
>>
>> We have just installed a 2.6.3 installation of mod_security on a
>> developement machine. Mod_security seems to work normally as it
>> should.
>> But when trying to install (the first screen where you have to
>> agree the license agreement) Magento the browser keeps "waiting for
>> the host".
>>
>> * When turning off mod_security it works normally
>> * even with no rules enabled
>> * nothing in logs
>> * SecComponentSignature "core ruleset/2.2.3"
>> * System: RHEL 6, PHP  + suPHP + suhosin PATCH), Selinux disabled
>> * Apache proces is eating 100% CPU
>>
>> Anyone has a clue about this?
>>
>> - Gerwin
>>
>>
>>
> 
> ------------------------------------------------------------------------------
>> Keep Your Developer Skills Current with LearnDevNow!
>> The most comprehensive online learning library for Microsoft
>> developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3,
>> MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe
>> now!
>> http://p.sf.net/sfu/learndevnow-d2d [3]
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net [4]
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> [5]
>> Commercial ModSecurity Rules and Support from Trustwave's
>> SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/ [6]
>> http://www.modsecurity.org/projects/commercial/support/ [7]
>
>
>
> Links:
> ------
> [1]
> 
> http://example.net/sid#3f15368][rid#41d19c8][/wordpress/wp-admin/setup-config.php][9
> [2]
> 
> http://example.net/sid#4091ad0][rid#43499c8][/magento/index.php/install/wizard/beginPost/][9
> [3] http://p.sf.net/sfu/learndevnow-d2d
> [4] mailto:mod-security-users <at> lists.sourceforge.net
> [5] https://lists.sourceforge.net/lists/listinfo/mod-security-users
> [6] http://www.modsecurity.org/projects/commercial/rules/
> [7] http://www.modsecurity.org/projects/commercial/support/
> [8] mailto:gerwin <at> digitalus.nl

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Magento installer is running forever with mod_security enabled -small update-

Breno,

I also found out that this problem is NOT when using a Mod security 2.5 version. >2.6 does have this problem ...

On 02/02/2012 05:07 PM, Breno Silva wrote:
> Hi Gerwin,
>
> I saw something similar with APR 1.4.5 if i remember well and when you use different APR versions for Apache
and ModSec.
>
> Thanks
>
> On Thu, Feb 2, 2012 at 9:05 AM, Gerwin Krist -|- Digitalus Webhosting & Webdesign <gerwin <at> digitalus.nl
<mailto:gerwin <at> digitalus.nl>> wrote:
>
>     Some small update. I also have this problem with the installation of Wordpress and was seeing the
following messages (a LOT):
>
>     [02/Feb/2012:15:56:52 +0100]
[example.net/sid#3f15368][rid#41d19c8][/wordpress/wp-admin/setup-config.php][9
<http://example.net/sid#3f15368][rid#41d19c8][/wordpress/wp-admin/setup-config.php][9>]
Input filter: Bucket type EOS contains 0 bytes.
>     [02/Feb/2012:16:01:29 +0100]
[example.net/sid#4091ad0][rid#43499c8][/magento/index.php/install/wizard/beginPost/][9
<http://example.net/sid#4091ad0][rid#43499c8][/magento/index.php/install/wizard/beginPost/][9>]
Input filter: Bucket type EOS contains 0 bytes.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>     Hi Guys,
>
>     We have just installed a 2.6.3 installation of mod_security on a developement machine. Mod_security
seems to work normally as it should.
>     But when trying to install (the first screen where you have to agree the license agreement) Magento the
browser keeps "waiting for the host".
>
>     * When turning off mod_security it works normally
>     * even with no rules enabled
>     * nothing in logs
>     * SecComponentSignature "core ruleset/2.2.3"
>     * System: RHEL 6, PHP  + suPHP + suhosin PATCH), Selinux disabled
>     * Apache proces is eating 100% CPU
>
>     Anyone has a clue about this?
>
>     - Gerwin
>
>
>     ------------------------------------------------------------------------------
>     Keep Your Developer Skills Current with LearnDevNow!
>     The most comprehensive online learning library for Microsoft developers
>     is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>     Metro Style Apps, more. Free future releases when you subscribe now!
>     http://p.sf.net/sfu/learndevnow-d2d
>     _______________________________________________
>     mod-security-users mailing list
>     mod-security-users <at> lists.sourceforge.net <mailto:mod-security-users <at> lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/mod-security-users
>     Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>     http://www.modsecurity.org/projects/commercial/rules/
>     http://www.modsecurity.org/projects/commercial/support/
>
>

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: ModSecurity Virtual Patching Workshop/Training at OWASP AppSecDC 2012

FYI – early bird discount rates end today.

This workshop is going to be pretty hard core :)  We are going to be using the OWASP Broken Web Applications VM -
http://code.google.com/p/owaspbwa/wiki/ProjectSummary as it already has ModSecurity installed. 
It will give us a wide range of web apps/vulns to try and tackle.  I also have a really cool integration
between ModSecurity and Arachni (http://arachni-scanner.com/) that we will use.

Hope to see you at the workshop!

-Ryan

From: Ryan Barnett <rbarnett <at> trustwave.com<mailto:rbarnett <at> trustwave.com>>
Date: Thu, 19 Jan 2012 10:04:50 -0600
To:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>"
<mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>,
"owasp-modsecurity-core-rule-set <at> lists.owasp.org<mailto:owasp-modsecurity-core-rule-set <at> lists.owasp.org>" <owasp-modsecurity-core-rule-set <at> lists.owasp.org<mailto:owasp-modsecurity-core-rule-set <at> lists.owasp.org>>
Subject: ModSecurity Virtual Patching Workshop/Training at OWASP AppSecDC 2012

OWASP has just announced that my 2-day ModSecurity Virtual Patching Workshop training class as part of
AppSecDC 2012 is online - https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Training/Virtual_Patching_Workshop

In this training, we will walk through the theory of Virtual Patching – when, where and how to best use it. 
We will be working through the "Virtual Patching: Best Practices" document and even be updating it as we go
with feedback.  We will then have hands-on labs where our goal will be to virtually patch as many of the OWASP
WebGoat vulnerabilities as possible.  We will also cover topics such as automatic virtual patch creation
from web app scanner output (with a lab).

Let me know if you have any questions or comments.  I hope you will join me for this in-depth workshop!

--
Ryan Barnett
Senior Security Researcher
Trustwave - SpiderLabs
www.trustwave.com

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/