Re: [mod-security-users] [mod-security-user] script does not execute
Brought to you by:
victorhora,
zimmerletw
From: Tom A. <tan...@oa...> - 2007-06-04 19:52:42
|
Note that this is Windows XP. How does mod_security "exec" on Windows? I don't think the shebang line means anything on Windows. My question would be, why are you running Apache, ModSecurity, and Perl on Windows in the first place? You already have the whole open-source application package, so why not use the more stable, secure, and reliable operating system to match? Didn't want to make this a political thing, but you're just asking for trouble IMHO running these applications on Windows instead of Linux or *BSD. Tom Brian Rectanus wrote: > gyo...@hi... wrote: >> hi all, >> >> I cant execute perl script using SecFilter. >> OS is Windows XP, Apache is 2.2.4, ModSecurity is 1.9.4, Perl is 5.8. >> >> Please help me figure this problem out. >> >> My rule is like this, >> ******************************* >> SecFilter "exec" "log,exec:C:/Gnu/Apache2.2/cgi-bin/printenv.pl" >> >> ******************************* >> >> My perl script is like this, >> >> ****************************************** >> >> open OUTPUT, ">output.txt"; >> foreach $var (sort(keys(%ENV))) { >> $val = $ENV{$var}; >> $val =~ s|\n|\\n|g; >> $val =~ s|"|\\"|g; >> print "${var}=\"${val}\"\n"; >> #for modsecurity test >> print OUTPUT "${var}=\"${val}\"\n"; >> } >> close OUTPUT; >> >> ******************************************* >> >> And the DEBUG LOG is like below, >> *************************************** >> [04/Jun/2007:13:16:39 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][2] Detection phase starting (request 2e36410): "POST /SecurityTest.html HTTP/1.1" >> [04/Jun/2007:13:16:39 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][9] Stored msr (2e3bb60) in r (2e36410) >> [04/Jun/2007:13:16:39 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] Normalised REQUEST_URI: "/SecurityTest.html" >> [04/Jun/2007:13:16:39 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][2] Parsing arguments... >> [04/Jun/2007:13:16:39 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][3] Content-Type is "application/x-www-form-urlencoded" >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][5] read_post_payload: read 48 bytes >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][3] Parsing variables from POST payload >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] Adding parameter: "hidRoute"="exec" >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] Adding parameter: "img"="chain" >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] Adding parameter: "filepath"="" >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] Adding parameter: "dig"="skipnext\r\n" >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] Time #1: 843750 usec >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][2] Checking signature "exec" at REQUEST_URI >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] Checking against "/SecurityTest.html" >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][9] Check took 0 usec >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][2] Checking signature "exec" at POST_PAYLOAD >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] Checking against "hidRoute=exec&img=chain&filepath=&dig=skipnext\r\n" >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][9] Check took 0 usec >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][1] Access denied with code 403. Pattern match "exec" at POST_PAYLOAD [severity "EMERGENCY"] >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][1] Executing command "C:/Gnu/Apache2.2/cgi-bin/printenv.pl" >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][1] Failed to execute: "C:/Gnu/Apache2.2/cgi-bin/printenv.pl" (rc=720193) >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][9] Signature check returned 403 >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][9] Rule match, returning code 403 >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] Time #2: 1046875 usec >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] sec_filter_in: start: inputmode=0, readtype=0, nBytes=8192 >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] sec_filter_in: Sent 48 bytes (48 total) >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] sec_filter_in: Sent EOS bucket >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][2] Logging phase starting >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][9] Found msr (2e3bb60) in r (2e36410) >> [04/Jun/2007:13:16:40 +0900] [localhost/sid#3dc320][rid#2e36410][/SecurityTest.html][4] sec_audit_logger_concurrent: Starting >> >> **************************************************** > > > > > Check the registration of the perl interpreter for *.pl files. Perhaps > you need the shebang (#! ...) on the first line telling where the perl > interpreter is? > > > -B > |