[mod-security-users] Simple question - how do I allow download of exe?
Brought to you by:
victorhora,
zimmerletw
From: chris d. <ch...@de...> - 2011-05-03 15:17:45
|
All, So I have mod security setup and protecting the application. All working well. Now the client wants to host a .exe that will be used by support personal to help people when they hit issues. So I thought I could just add the following to httpd.conf and all would be well <LocationMatch /support/TeamViewerQS.exe> SecRuleEngine Off </LocationMatch> However mod_security still fires and blocks the access. Mod security 2.5.13 core rule-set 2.1.1 How can I allow download of this single file? I haven't seen anyone else post logs so not sure if its the right thing to do - I've sanitized it so guess it should be ok Thanks Chris --29000000-A-- [03/May/2011:16:01:06 +0100] TcAYsk1ERPAAAAF4BgQAAAA@<src.ip> 34965 <dest.ip> 443 --29000000-B-- GET /support/TeamViewerQS.exe HTTP/1.1 Host: <source host> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 DNT: 1 Connection: keep-alive Cookie: JSESSIONID=B1061173B34C165AC249A64ED8D1D631 Pragma: no-cache Cache-Control: no-cache --29000000-F-- HTTP/1.1 403 Forbidden Content-Length: 226 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --29000000-H-- Apache-Error: [file "C:\\local0\\asf\\release\\build-2.2.17\\modules\\aaa\\mod_authz_host.c"] [line 311] [level 3] client denied by server configuration: D:/apps/Apache2.2/htdocs/venus/support/TeamViewerQS.exe\r Stopwatch: 1304434866559600 0 (- - -) Producer: ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/); core ruleset/2.1.1. Server: Apache WebApp-Info: "QNS" "-" "-" --29000000-K-- SecAction "auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2" SecAction "auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5" SecAction "auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4" SecAction "auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0" SecAction "auditlog,status:412,phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255" SecAction "auditlog,status:412,phase:1,t:none,nolog,pass,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf text/x-gwt-rpc',setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'" SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "auditlog,status:412,phase:1,t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}" SecAction "auditlog,status:412,phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}" SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "log,auditlog,status:412,phase:1,chain,rev:2.1.1,t:none,block,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag: http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3" --29000000-Z-- |