Re: [mod-security-users] Mod-Security and php forums
Brought to you by:
victorhora,
zimmerletw
From: Michael S. <mi...@go...> - 2006-08-18 16:30:33
|
Matt, Send me your audit log entries (sanitize if you like, just leave me the context of the way phpbb is being used), and I'll tweak the rules to prevent these false positives. On Thu, 2006-08-17 at 23:02 +0100, Matt Wrycraft wrote: > Thanks Tom! > > I am running SQL and can certainly understand the need to keep the rules > dealing with injection attacks. SQL is used throughout my site and I > would like to keep the rules generally, just exclude them from forum > posts. I do have sanitation of forum posts anyway, which is why I'm > happy to avoid using modsec there. > > Unfortunately, changing the forum software isn't really an option for me > at the moment, and I really don't want to anyway as in all other > respects its working fine. It's just the modsec false positives that are > giving me sleepless nights. > > I just need the code to exclude it I guess. > > Matt > > Tom Anderson wrote: > > If you're not running an SQL database, then you can comment out the > > chain of rules dealing with SQL injection attacks. Otherwise, only > > enable them on programs that deal directly with a database. If your > > forums use a database, the best thing is to ensure there is sanitation > > of input within your forum software. If so, you can disable the SQL > > injection filters in mod_security. Otherwise, it might be prudent to > > keep it or to change forum software. > > > > Tom > > > > Matt Wrycraft wrote: > >> Hi all, this is my first question, so please let me know if I've missed > >> anything. > >> > >> After a hacking attempt at another part of my site the sysadmins > >> installed Mod Security and rules from > >> http://www.gotroot.com/tiki-index.php?page=mod_security+rules > >> I now get a number of false positives when posting on the forums (which > >> are very active and people are getting annoyed at the number of 403s). > >> I've run google search and checked out the gotroot forum to no avail. > >> Looking at the audit.log most of the denied posts relate to: > >> > >> mod_security-message: Access denied with code 403. Pattern match > >> "(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" > >> at POST_PAYLOAD > >> > >> I've tried loads of variations of posts on the forum and having multiple > >> spaces or using "into" "select" and "from" in the right order is > >> obviously what is causing me these problems. I tried commenting out the > >> rule but Apache failed to start, a quick look suggested that it was part > >> of a chain of rules and I didn't want to dig too deeply in case I broke > >> it further, so I uncommented the rule and successfully restarted the > >> webserver. > >> I don't really know regex so am not in a position to completely > >> re-write the rules, as I'm just as likely to make things worse, so I've > >> reached the conclusion that I would just like to disable mod security > >> for forum posts. > >> > >> I've checked /etc/modsecurity/exclude.conf and there already seems to be > >> relevant rules for other php-based forums ie > >> > >> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*"> > >> SecFilterRemove 300013 > >> </LocationMatch> > >> > >> Now, I'm unsure what rule 300013 does. I've grepped for it and it seems > >> to be commented out in the rules.conf.. > >> > >> Anyway, my forum uses the following POST URL, which i assume is the > >> location match: > >> /modules.php?name=Forums&file=posting&mode=newtopic&f=13 > >> (with different information after 'posting') > >> > >> So I tried putting that into exclude.conf - adding a number of rules > >> that I thought could be problems (and taking them from other rules > >> excluded in the exclude.conf) as follows: > >> > >> <Location "/modules.php?name=Forums&file=posting.*"> > >> SecFilterRemove 300013 > >> SecFilterRemove 300014 > >> SecFilterRemove 300016 > >> SecFilterRemove 380000 > >> SecFilterRemove 360001 > >> </Location> > >> > >> This made no difference and I still suffer the false positives. > >> > >> All I want to do is exclude mod security from checking forum posts (yes > >> I know the risks of this, but I'm using recent code, with additional > >> handling, and feel that mod security is causing more harm than good > >> right now) > >> > >> Can I for instance use a variation of: > >> SecFilterSelective REQUEST_URI "/.*/Merchant2/merchant\.mv.*" allow,nolog > >> > >> ?? > >> > >> Any help would be graciously accepted! > >> > >> Many thanks in advance. > >> > >> Matt > >> > >> ------------------------------------------------------------------------- > >> Using Tomcat but need to do more? Need to support web services, security? > >> Get stuff done quickly with pre-integrated technology to make your job easier > >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> > >> > > > > > > ------------------------------------------------------------------------- > > Using Tomcat but need to do more? Need to support web services, security? > > Get stuff done quickly with pre-integrated technology to make your job easier > > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com |