Re: [mod-security-users] New to Modsecurity: I Need to allow directory traversal to a single virtua
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2012-05-19 21:26:40
|
On 5/19/12 4:58 PM, "mrnicholsb" <mrn...@gm...> wrote: >Hello all, Im new to modsecurity and forgive me if this is a noobish >question. > >But I have a virtual host that I have a lot of iso files on that I would >like to have directory indexing allowed on just that host. > >I have my .htaccess file as follows > >Options +Indexes > >But ever since I got mod_security running its being ignored, is there a >way to tell >modsecurity to respect .htaccess files? > >Should I just forget about .htaccess all together while running >mod_security? > >And how would I go about adding an exception to modsecurity to allow >indexing on this virtual host? The subject line says "Directory Traversal" but you are talking about "Directory Indexing" which are two separate issues. I am assuming, based on the email body, that you are hitting the following rule in the modsecurity_crs_50_outbound.conf file - # Directory Listing SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>[To Parent Directory]<\/[Aa]><br>)" \ "phase:4,rev:'2.2.5',t:none,capture,ctl:auditLogParts=+E,block,msg:'Directo ry Listing',id:'970013',tag:'LEAKAGE/INFO_DIRECTORY_LISTING',tag:'WASCTC/WASC- 13',tag: 'OWASP_TOP_10/A6',tag:'PCI/6.5.6',severity:'3',setvar:'tx.msg=%{rule.msg}', setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anoma ly_score=+%{tx.erro r_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/INFO-%{matched_var_name}=%{tx .0}" If so, and you want to allow this for a specific vhost, then you could do an exception like this in a local modsecurity_crs_15_custom.conf file - SecRule REQUEST_HEADERS:HOST "@streq wwww.yourhost.com" "id:'1',phase:1,t:none,nolog,pass,ctl:ruleRemoveById=970013" Essentially, you are checking the Host header in the request (obviously set to to the appropriate vhost/hostname alias) and then dynamically disabling rule ID 970013 if it matches. Let me know if that works for you. Ryan > >-------------------------------------------------------------------------- >---- >Live Security Virtual Conference >Exclusive live event will cover all the ways today's security and >threat landscape has changed and how IT managers can respond. Discussions >will include endpoint security, mobile security and the latest in malware >threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >http://www.modsecurity.org/projects/commercial/rules/ >http://www.modsecurity.org/projects/commercial/support/ > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |