From: "retired1af@gmail.com" <retired1af@gmail.com>
Date: Tue, 22 May 2012 07:17:57 -0500
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: [mod-security-users] Forum reply being blocked by mod_security

I'm not getting very far with the software developers so I'm now appealing to the experts here to find a solution to my problem.

It appears mod_security is triggering on the word nmap within a forum post, preventing replies to the thread. Link is here: http://www.globalaffairs.org/forum/threads/nmap-6-released.68912/

The mod_security log shows the following:

Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:X-Ajax-Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg "System Command Injection"] [data "/nmap-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]

This is the first time I've run across this, but it seems to be a common occurrence with the Xen Foro software package. If a post contains a key word as defined in the mod_security rules, replying to the thread is prevented.

Personally, I feel this is a software issue with Xen Foro. But I'm covering all my bases in my search for a fix.

What CRS rules version are you using?  You might want to upgrade - https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/

The false positive is matching data in the REQUEST_HEADERS:X-Ajax-Referer data.  The rule you are using is probably already excluding the normal Referer field like this -
REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES 
What version of ModSecurity are you using?  If it is v2.6 you can use SecRuleUpdateTargetsById to prevent that variable from being inspected by that rule like this -

SecRuleUpdateTargetsById 959006 "!REQUEST_HEADERS:X-Ajax-Referer"

Hope this helps,
Ryan



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.