Re: [mod-security-users] Blocking File uploads by contents
Brought to you by:
victorhora,
zimmerletw
From: Justin B. <gq...@gm...> - 2008-11-12 22:48:49
|
Thanks for your response, please see my comments below: The docs for inspectFile are not very good. Actually, they are > non-existant, heh. The script *must* print to stdout. If the first > character output is '1' then the action is taken, otherwise (typically > outputting '0') the rule did not match and no action is taken. Just > exiting with a return code of 0 or 1 is not sufficient. My Bash script is echoing a 0 or 1 to stdout in addition to exiting with those values. Additionally, your rule will only work if the body of the request has a > Content-Type of "multipart/form-data" and one of the parts has a > Content-Disposition header with a filename= parameter (a > multipart/form-data file upload). The FILES_TMPNAMES is a collection of > all of these filenames and if the collection is empty, then the rule is > not even processed, which seems to be your case. > I tried both my own form and the one you provided below. Neither of them caused any Multipart: entries to appear in the log. Have I missed some sort of configuration value I need to set in order for mod_security to handle file uploads? Here is my full configuration file that Apache is including: #### LoadFile /opt/xml2/lib/libxml2.so LoadFile /opt/lua/lib/liblua.so LoadModule security2_module modules/mod_security2.so <IfModule mod_security2.c> SecRuleEngine On # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf # "Add the rules that will do exactly the same as the directives" # SecFilterCheckURLEncoding On # SecFilterForceByteRange 0 255 SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log SecDebugLog logs/modsec_debug_log SecDebugLogLevel 0 #SecDebugLogLevel 9 SecDefaultAction "phase:2,deny,log,status:406" SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow SecTmpDir /tmp SecUploadDir /path/to/uploadtmp/ SecUploadKeepFiles On SecRule FILES_TMPNAMES "@inspectFile /usr/bin/modsecFileChecker.sh" \ "auditlog,id:50,rev:1,severity:CRITICAL,msg:'PHP file upload attempt',phase:2,t:none" </IfModule> #### And here is the full level 9 output of my test. #### [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Initialising transaction (txid SRtYgNE@BGIAABctMfIAAAAD). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Transaction context created (dcfg 8a313c8). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Starting phase REQUEST_HEADERS. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] This phase consists of 0 rule(s). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] PdfProtect: Not enabled here. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Second phase starting (dcfg 8a313c8). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Input filter: Request body access not enabled. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Time #1: 465 [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Starting phase REQUEST_BODY. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] This phase consists of 2 rule(s). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Recipe: Invoking rule 918fe48; [file "/path/to/modsec.conf"] [line "16"]. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][5] Rule 918fe48: SecRule "REMOTE_ADDR" "@rx ^127.0.0.1$" "phase:2,status:406,nolog,allow" [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Transformation completed in 2 usec. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Executing operator "rx" with param "^127.0.0.1$" against REMOTE_ADDR. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] Target value: " 123.123.123.123" [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Operator completed in 2 usec. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Rule returned 0. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] No match, not chained -> mode NEXT_RULE. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Recipe: Invoking rule 9190638; [file "/path/to/modsec.conf"] [line "6"] [id "50"] [rev "1"]. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][5] Rule 9190638: SecRule "FILES_TMPNAMES" "@inspectFile /usr/bin/modsecFileChecker.sh" "phase:2,deny,log,status:406,auditlog,id:50,rev:1,severity:CRITICAL,msg:'PHP file upload attempt',t:none" [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Rule returned 0. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] No match, not chained -> mode NEXT_RULE. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Time #2: 672 [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Hook insert_filter: Adding PDF XSS protection output filter (r942d5d8). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Hook insert_filter: Adding output filter (r 942d5d8). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] Output filter: Receiving output (f 943f4d8, r 942d5d8). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Starting phase RESPONSE_HEADERS. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] This phase consists of 0 rule(s). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Output filter: Response body buffering is not enabled. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] Content Injection: Not enabled. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Output filter: Completed receiving response body (non-buffering). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Starting phase RESPONSE_BODY. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] This phase consists of 0 rule(s). [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Output filter: Output forwarding complete. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] Output filter: Sending input brigade directly. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Initialising logging. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][4] Starting phase LOGGING. [domain.com/sid#919ce70][rid#942d5d8][/uptest/index.php][9] This phase consists of 0 rule(s). ##### > > Check the debug log (level 9) for something like this: > > [9] Multipart: Added part header "Content-Disposition" "form-data; > name=\"uploadFile\"; filename=\"xml-fix.diff\"" > [9] Multipart: Added part header "Content-Type" "text/x-diff" > [9] Multipart: Content-Disposition name: uploadFile > [9] Multipart: Content-Disposition filename: xml-fix.diff > [4] Multipart: Created temporary file: > /apps/tmp/20081112-113554-SRswGn8AAQEAAG0CYu8AAADB-file-rBf70z > [9] Multipart: Changing file mode to 0640: > /apps/tmp/20081112-113554-SRswGn8AAQEAAG0CYu8AAADB-file-rBf70z > [9] Multipart: Added file part 19df328 to the list: name "uploadFile" > file name "xml-fix.diff" (offset 165, length 727) > [9] Multipart: Added part header "Content-Disposition" "form-data; > name=\"uploadFile\"" > [9] Multipart: Content-Disposition name: uploadFile > [9] Multipart: Added data to variable: Upload File > [9] Multipart: Added part 19dfde0 to the list: name "uploadFile" (offset > 1007, length 11) > As you can see, none of the Multipart entries you mentioned are appearing in my log. Any ideas? |